Improve permissions on resources in host creation/editing form
We can limit resources that are displayed to the user in host form using new granular permission. Or we could allow resources based on used hostgroup.
Fixes #4477 - Host[group] form only show authorized resources
Previously, most dropdowns in the host and hostgroup edit forms
displayed all of the existing resources, including some that a user may
not have been authorized to view.
This commit makes sure only authorized resources are displayed, with the
exception of the current resource - so that editing a host will not
cause changes to its current associations in case the user is not
allowed to see them. This also includes a refactoring of the code to
I have also included a change to `with_taxonomy_scope_override` that
allows its use for relations. This was not previously possible due to
the `.unscoped` which was used to remove the default scope and has been
replaced with `.unscope(:where => :taxonomy)` that only removes any
previous taxonomy scopes.
#2 Updated by Dominic Cleal about 5 years ago
The same applies to other resources like domains, subnets and realms which have associated smart proxies. In theory we can use .authorized and only show the proxies on the form which the user has access to, but in practice this means a user who has edit permissions on a domain but no rights to view the associated smart proxies might inadvertently unset or change the associated proxy.
Our forms need to be smarter about associations to other resources that the user doesn't have access to.
#14 Updated by Roy Williams almost 4 years ago
Once a host group is created it is not possible to change puppet classes from within the host group once hosts are associated to it. However it is possible to associate puppet classes from the Configure -> Puppet -> Puppet Classes tab and check box them so they will work. The other issue is it's not possible to populate parameter overrides since I receive the error "Validation failed: Taxonomy has already been taken"