From 8b65ddc482566e8b26daabe29e16ffb73a81e98f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
Date: Tue, 22 Nov 2016 12:37:20 +0100
Subject: [PATCH] Do not create notification for people unable to see given
 objects

Addressing: https://bugzilla.redhat.com/show_bug.cgi?id=1394283
---
 app/models/notification.rb                          |  5 +++++
 .../miq_automation_engine/miq_ae_service_spec.rb    |  5 ++++-
 spec/models/notification_spec.rb                    | 13 +++++++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/app/models/notification.rb b/app/models/notification.rb
index 7d5826d5e69..08d8aca9234 100644
--- a/app/models/notification.rb
+++ b/app/models/notification.rb
@@ -42,6 +42,11 @@ def emit_message
 
   def set_notification_recipients
     subscribers = notification_type.subscriber_ids(subject, initiator)
+    if subject
+      subscribers.reject! do |subscriber_id|
+        Rbac.filtered_object(subject, :user => User.find(subscriber_id)).blank?
+      end
+    end
     self.notification_recipients_attributes = subscribers.collect { |id| {:user_id => id } }
   end
 
diff --git a/spec/lib/miq_automation_engine/miq_ae_service_spec.rb b/spec/lib/miq_automation_engine/miq_ae_service_spec.rb
index e4ea8e25d3e..0918fdda9e6 100644
--- a/spec/lib/miq_automation_engine/miq_ae_service_spec.rb
+++ b/spec/lib/miq_automation_engine/miq_ae_service_spec.rb
@@ -153,7 +153,10 @@ module MiqAeServiceSpec
       end
     end
     context "create notifications" do
-      before { NotificationType.seed }
+      before do
+        NotificationType.seed
+        allow(User).to receive_messages(:server_timezone => 'UTC')
+      end
 
       let(:options) { {} }
       let(:workspace) do
diff --git a/spec/models/notification_spec.rb b/spec/models/notification_spec.rb
index 6a7a92578a4..9ee517e8a92 100644
--- a/spec/models/notification_spec.rb
+++ b/spec/models/notification_spec.rb
@@ -1,4 +1,5 @@
 describe Notification, :type => :model do
+  before { allow(User).to receive_messages(:server_timezone => 'UTC') }
   before { NotificationType.seed }
   let(:tenant) { FactoryGirl.create(:tenant) }
   let!(:user) { FactoryGirl.create(:user_with_group, :tenant => tenant) }
@@ -22,6 +23,18 @@
         expect_any_instance_of(ActionCable::Server::Base).to receive(:broadcast)
         subject # force the creation of the db object
       end
+
+      context 'tenant includes user without access to the subject (vm)' do
+        let(:limiting_role) { FactoryGirl.create(:miq_user_role, :settings => {:restrictions=>{:vms=>:user}}) }
+        let(:limited_group) do
+          FactoryGirl.create(:miq_group, :tenant_type, :tenant => tenant, :miq_user_role => limiting_role)
+        end
+        let!(:limited_user) { FactoryGirl.create(:user, :miq_groups => [limited_group]) }
+
+        it 'emits notifications only to those users, who are authorized to see the subject' do
+          expect(subject.recipients).to match_array([user])
+        end
+      end
     end
   end