Allow more specific restriction types for roles

Follow 6072d2c in allowing more specific restriction types. Default values of ':user' following the original global default value.
ManageIQ · Aug 9, 2023 · 73c6034 · 73c6034
1 parent f39a498
commit 73c6034
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 10 deletions.
diff --git a/app/models/miq_user_role.rb b/app/models/miq_user_role.rb
@@ -7,8 +7,10 @@ class MiqUserRole < ApplicationRecord
   has_many                :miq_groups, :through => :entitlements
   has_and_belongs_to_many :miq_product_features, :join_table => :miq_roles_features
 
-  virtual_column :vm_restriction,               :type => :string
-  virtual_column :service_template_restriction, :type => :string
+  virtual_column :auth_key_pair_restriction,        :type => :string
+  virtual_column :orchestration_stacks_restriction, :type => :string
+  virtual_column :service_template_restriction,     :type => :string
+  virtual_column :vm_restriction,                   :type => :string
 
   validates :name, :presence => true, :uniqueness_when_changed => {:case_sensitive => false}
 
@@ -100,14 +102,24 @@ def self.seed_from_array(roles, array, merge_features = false)
 
   virtual_total :group_count, :miq_groups
 
-  def vm_restriction
-    vmr = settings&.dig(:restrictions, :vms)
-    vmr ? RESTRICTIONS[vmr] : "None"
+  def auth_key_pair_restriction
+    restrictions(:auth_key_pairs)
+  end
+
+  def orchestration_stack_restriction
+    restrictions(:orchestration_stacks)
   end
 
   def service_template_restriction
-    str = settings&.dig(:restrictions, :service_templates)
-    str ? RESTRICTIONS[str] : "None"
+    restrictions(:service_templates)
+  end
+
+  def service_restriction
+    restrictions(:services)
+  end
+
+  def vm_restriction
+    restrictions(:vms)
   end
 
   def super_admin_user?
@@ -140,10 +152,21 @@ def self.display_name(number = 1)
 
   private
 
+  def restrictions(restriction_type)
+    restrictions = settings&.dig(:restrictions, restriction_type)
+    restrictions ? RESTRICTIONS[vmr] : "None"
+  end
+
   def restriction_type(klass)
     klass ||= Class
-    if klass <= ServiceTemplate
+    if klass <= ManageIQ::Providers::CloudManager::AuthKeyPair
+      :auth_key_pairs
+    elsif klass <= OrchestrationStack
+      :orchestration_stacks
+    elsif klass <= ServiceTemplate
       :service_templates
+    elsif klass <= Services
+      :services
     else
       :vms
     end

diff --git a/db/fixtures/miq_user_roles.yml b/db/fixtures/miq_user_roles.yml
@@ -947,8 +947,11 @@
   :read_only: true
   :settings:
     :restrictions:
-      :vms: :user
+      :auth_key_pairs:  :user
+      :orchestration_stacks: :user
       :service_templates: :user
+      :services: :user
+      :vms: :user
   :miq_product_feature_identifiers:
   - about
   - all_vm_rules
@@ -1134,8 +1137,11 @@
   :read_only: true
   :settings:
     :restrictions:
-      :vms: :user_or_group
+      :auth_key_pairs:  :user_or_group
+      :orchestration_stacks: :user_or_group
       :service_templates: :user_or_group
+      :services: :user_or_group
+      :vms: :user_or_group
   :miq_product_feature_identifiers:
   - about
   - all_vm_rules