From cec2dcfbf7e6a148a1dc997fdcf052c7c98e34ec Mon Sep 17 00:00:00 2001
From: Martin Povolny <mpovolny@redhat.com>
Date: Fri, 13 Jan 2017 13:26:59 +0100
Subject: [PATCH] Tenant admin should not be able to create groups in other
 tenants.

https://github.com/ManageIQ/manageiq-ui-classic/issues/134

This is only a part of the fix. The 2nd part needs fixing on the
manageiq core side.
---
 app/controllers/ops_controller/ops_rbac.rb | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/app/controllers/ops_controller/ops_rbac.rb b/app/controllers/ops_controller/ops_rbac.rb
index 3c781ff7b9e2..6ad8af13f520 100644
--- a/app/controllers/ops_controller/ops_rbac.rb
+++ b/app/controllers/ops_controller/ops_rbac.rb
@@ -1027,6 +1027,11 @@ def rbac_user_validate?
     valid
   end
 
+  def valid_tenant?(tenant_id)
+    all_tenants, _ = Tenant.tenant_and_project_names
+    all_tenants.include?(tenant_id)
+  end
+
   # Get variables from group edit form
   def rbac_group_get_form_vars
     if %w(up down).include?(params[:button])
@@ -1036,7 +1041,15 @@ def rbac_group_get_form_vars
       @edit[:new][:ldap_groups_user] = params[:ldap_groups_user]  if params[:ldap_groups_user]
       @edit[:new][:description]      = params[:description]       if params[:description]
       @edit[:new][:role]             = params[:group_role]        if params[:group_role]
-      @edit[:new][:group_tenant]     = params[:group_tenant].to_i if params[:group_tenant]
+
+      if params[:group_tenant]
+        if valid_tenant?(new_tenant_id = params[:group_tenant].to_i+1)
+          @edit[:new][:group_tenant] = new_tenant_id
+        else
+          raise "Invalid tenant selected."
+        end
+      end
+
       @edit[:new][:lookup]           = (params[:lookup] == "1")   if params[:lookup]
       @edit[:new][:user]             = params[:user]              if params[:user]
       @edit[:new][:user_id]          = params[:user_id]           if params[:user_id]