From f32c23c4cf3464cc87fb8a08fe7d0fc0adb0e009 Mon Sep 17 00:00:00 2001
From: lpichler <lpichler@redhat.com>
Date: Thu, 6 Apr 2017 12:14:47 +0200
Subject: [PATCH 1/4] Use base only when it is supported by direct rbac

it is fixing that specialized class model is passed but
rbac is returing objects with specialized class model's baseclass.

for example:
Rbac.filtered_object(MiqAeDomain.first, :user => User.first)

before:
returned object is MiqAeNamespace (as parent of MiqAeDomain)

after:
returned object is MiqAeDomain
---
 lib/rbac/filterer.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb
index dba55659527..ef94cefed24 100644
--- a/lib/rbac/filterer.rb
+++ b/lib/rbac/filterer.rb
@@ -199,7 +199,12 @@ def search(options = {})
           # assume klass is passed in
         else
           target_ids       = targets.collect(&:id)
-          klass            = targets.first.class.base_class unless klass.respond_to?(:find)
+          klass            = targets.first.class
+          unless klass.respond_to?(:find)
+            if klass.respond_to?(:base_class) && rbac_class(klass).nil? && rbac_class(klass.base_class)
+              klass = klass.base_class
+            end
+          end
         end
         scope = apply_scope(klass, scope)
         scope = apply_select(klass, scope, options[:extra_cols]) if options[:extra_cols]

From 26cc734639ef547e0020dcf5333fa492991cc9e7 Mon Sep 17 00:00:00 2001
From: lpichler <lpichler@redhat.com>
Date: Thu, 6 Apr 2017 12:20:31 +0200
Subject: [PATCH 2/4] Create method for condition and reuse it

---
 lib/rbac/filterer.rb | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb
index ef94cefed24..d4d68cc9c9a 100644
--- a/lib/rbac/filterer.rb
+++ b/lib/rbac/filterer.rb
@@ -201,9 +201,7 @@ def search(options = {})
           target_ids       = targets.collect(&:id)
           klass            = targets.first.class
           unless klass.respond_to?(:find)
-            if klass.respond_to?(:base_class) && rbac_class(klass).nil? && rbac_class(klass.base_class)
-              klass = klass.base_class
-            end
+            klass = base_class if (base_class = rbac_base_class(klass))
           end
         end
         scope = apply_scope(klass, scope)
@@ -218,7 +216,7 @@ def search(options = {})
           klass = targets
           klass = klass.klass if klass.respond_to?(:klass)
           # working around MiqAeDomain not being in rbac_class
-          klass = klass.base_class if klass.respond_to?(:base_class) && rbac_class(klass).nil? && rbac_class(klass.base_class)
+          klass = base_class if (base_class = rbac_base_class(klass))
         end
         scope = apply_select(klass, scope, options[:extra_cols]) if options[:extra_cols]
       end
@@ -308,6 +306,10 @@ def apply_rbac_through_association?(klass)
       klass != VimPerformanceDaily && (klass < MetricRollup || klass < Metric)
     end
 
+    def rbac_base_class(klass)
+      klass.base_class if klass.respond_to?(:base_class) && rbac_class(klass).nil? && rbac_class(klass.base_class)
+    end
+
     def safe_base_class(klass)
       klass = klass.base_class if klass.respond_to?(:base_class)
       klass

From 6663103875bcc331f81031faae96513b7dd78277 Mon Sep 17 00:00:00 2001
From: lpichler <lpichler@redhat.com>
Date: Thu, 6 Apr 2017 12:21:47 +0200
Subject: [PATCH 3/4] Move condition to one place

---
 lib/rbac/filterer.rb | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb
index d4d68cc9c9a..75eab4911e5 100644
--- a/lib/rbac/filterer.rb
+++ b/lib/rbac/filterer.rb
@@ -198,11 +198,9 @@ def search(options = {})
           target_ids = targets
           # assume klass is passed in
         else
-          target_ids       = targets.collect(&:id)
-          klass            = targets.first.class
-          unless klass.respond_to?(:find)
-            klass = base_class if (base_class = rbac_base_class(klass))
-          end
+          target_ids  = targets.collect(&:id)
+          klass       = targets.first.class
+          klass       = base_class if !klass.respond_to?(:find) && (base_class = rbac_base_class(klass))
         end
         scope = apply_scope(klass, scope)
         scope = apply_select(klass, scope, options[:extra_cols]) if options[:extra_cols]

From e314f310b2482c96a7936eb43c0a273de361eb83 Mon Sep 17 00:00:00 2001
From: lpichler <lpichler@redhat.com>
Date: Thu, 6 Apr 2017 12:39:04 +0200
Subject: [PATCH 4/4] Specs

---
 spec/lib/rbac/filterer_spec.rb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/spec/lib/rbac/filterer_spec.rb b/spec/lib/rbac/filterer_spec.rb
index fc9c6fbf267..a90055ae0e4 100644
--- a/spec/lib/rbac/filterer_spec.rb
+++ b/spec/lib/rbac/filterer_spec.rb
@@ -41,6 +41,18 @@
       end
     end
 
+    context 'when class does not participate in RBAC' do
+      let(:miq_ae_domain) { FactoryGirl.create(:miq_ae_domain) }
+
+      it 'returns same class as input' do
+        User.with_user(admin_user) do
+          results = described_class.search(:targets => [miq_ae_domain]).first
+          expect(results.first).to be_an_instance_of(MiqAeDomain)
+          expect(results).to match_array [miq_ae_domain]
+        end
+      end
+    end
+
     describe "with find_options_for_tenant filtering" do
       before do
         owned_vm # happy path