Merge pull request #12771 from isimluk/rhbz#1394283

Emit notifications only when user is authorized to see concerned object
ManageIQ · Nov 22, 2016 · 538b938 · 538b938
2 parents 715a278 + 8b65ddc
commit 538b938
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/app/models/notification.rb b/app/models/notification.rb
@@ -42,6 +42,11 @@ def emit_message
 
   def set_notification_recipients
     subscribers = notification_type.subscriber_ids(subject, initiator)
+    if subject
+      subscribers.reject! do |subscriber_id|
+        Rbac.filtered_object(subject, :user => User.find(subscriber_id)).blank?
+      end
+    end
     self.notification_recipients_attributes = subscribers.collect { |id| {:user_id => id } }
   end
 

diff --git a/spec/lib/miq_automation_engine/miq_ae_service_spec.rb b/spec/lib/miq_automation_engine/miq_ae_service_spec.rb
@@ -153,7 +153,10 @@ module MiqAeServiceSpec
       end
     end
     context "create notifications" do
-      before { NotificationType.seed }
+      before do
+        NotificationType.seed
+        allow(User).to receive_messages(:server_timezone => 'UTC')
+      end
 
       let(:options) { {} }
       let(:workspace) do

diff --git a/spec/models/notification_spec.rb b/spec/models/notification_spec.rb
@@ -1,4 +1,5 @@
 describe Notification, :type => :model do
+  before { allow(User).to receive_messages(:server_timezone => 'UTC') }
   before { NotificationType.seed }
   let(:tenant) { FactoryGirl.create(:tenant) }
   let!(:user) { FactoryGirl.create(:user_with_group, :tenant => tenant) }
@@ -22,6 +23,18 @@
         expect_any_instance_of(ActionCable::Server::Base).to receive(:broadcast)
         subject # force the creation of the db object
       end
+
+      context 'tenant includes user without access to the subject (vm)' do
+        let(:limiting_role) { FactoryGirl.create(:miq_user_role, :settings => {:restrictions=>{:vms=>:user}}) }
+        let(:limited_group) do
+          FactoryGirl.create(:miq_group, :tenant_type, :tenant => tenant, :miq_user_role => limiting_role)
+        end
+        let!(:limited_user) { FactoryGirl.create(:user, :miq_groups => [limited_group]) }
+
+        it 'emits notifications only to those users, who are authorized to see the subject' do
+          expect(subject.recipients).to match_array([user])
+        end
+      end
     end
   end