Fixes #30394 - allow non-admins deal with untaxed filters

Prior this non-admin user would have to have assigned Role without taxonomies (global role) to be able to manipulate filters. This allows manipulating Filters to any User with Filter perms. Filters with taxonomies mean they apply to taxonomy. But given they have taxonomies relations, they are expected to be taxable in our permission model. All taxable resources have to have the same taxonomies as Filter have. Some filters doesn't have taxonomies as their underlying resource doesn't have taxonomies. That mean they were unable to be touched by non-admins prior this patch. This also drops current taxonomy relations in migration and force flip the `Override` flag to false for Filter resource filters.
theforeman · Jun 18, 2021 · 2a0ad91 · 2a0ad91
1 parent 1f10660
commit 2a0ad91
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/app/models/filter.rb b/app/models/filter.rb
@@ -61,6 +61,10 @@ def ensure_taxonomies_not_escalated
 
   validate :same_resource_type_permissions, :not_empty_permissions, :allowed_taxonomies
 
+  def self.allows_taxonomy_filtering?(_taxonomy)
+    false
+  end
+
   def self.search_by_unlimited(key, operator, value)
     search_by_limited(key, operator, (value == 'true') ? 'false' : 'true')
   end

diff --git a/db/migrate/20210609093404_drop_override_taxonomies_from_filter.rb b/db/migrate/20210609093404_drop_override_taxonomies_from_filter.rb
@@ -0,0 +1,8 @@
+class DropOverrideTaxonomiesFromFilter < ActiveRecord::Migration[6.0]
+  def up
+    perms = Permission.where(name: %w[view_filters create_filters edit_filters destroy_filters])
+    filters = Filter.joins(:filterings).where(filterings: { permission_id: perms })
+    filters.update_all(override: false)
+    TaxableTaxonomy.where(taxable: filters).delete_all
+  end
+end