From 95a6c6b67ec8b65b3539a2fa512806ddb73696f0 Mon Sep 17 00:00:00 2001
From: benjaminapetersen <ben@benjaminapetersen.me>
Date: Tue, 31 Oct 2017 11:27:08 -0400
Subject: [PATCH] Fix bugzilla 15077030 where deleting a rolebinding for a
 serviceaccount can delete additional rolebindings for serviceaccounts from
 another namespace

---
 app/scripts/controllers/membership.js         |  5 ++--
 .../services/membership/roleBindings.js       | 16 +++++++++----
 app/views/membership.html                     |  2 +-
 dist/scripts/scripts.js                       | 23 ++++++++++---------
 dist/scripts/templates.js                     |  2 +-
 5 files changed, 28 insertions(+), 20 deletions(-)

diff --git a/app/scripts/controllers/membership.js b/app/scripts/controllers/membership.js
index d21e9fed35..6ea6114b2c 100644
--- a/app/scripts/controllers/membership.js
+++ b/app/scripts/controllers/membership.js
@@ -274,7 +274,8 @@ angular
             project: project,
             subjectKinds: subjectKinds,
             canUpdateRolebindings: canI('rolebindings', 'update', projectName),
-            confirmRemove: function(subjectName, kindName, roleName) {
+            confirmRemove: function(subjectName, kindName, roleName, namespace) {
+
               var redirectToProjectList = null;
               var modalScope = createModalScope(subjectName, kindName, roleName, $scope.user.metadata.name);
               if(_.isEqual(subjectName, $scope.user.metadata.name)) {
@@ -294,7 +295,7 @@ angular
               })
               .result.then(function() {
                 RoleBindingsService
-                  .removeSubject(subjectName, roleName, $scope.roleBindings, requestContext)
+                  .removeSubject(subjectName, roleName, namespace, $scope.roleBindings, requestContext)
                   .then(function(updateRolebinding) {
                     if(redirectToProjectList) {
                       $location.url("./");
diff --git a/app/scripts/services/membership/roleBindings.js b/app/scripts/services/membership/roleBindings.js
index 28bdd2e417..a26bd494f5 100644
--- a/app/scripts/services/membership/roleBindings.js
+++ b/app/scripts/services/membership/roleBindings.js
@@ -87,20 +87,26 @@ angular
     };
 
     // has to handle multiple bindings or multiple reference to a subject within a single binding
-    var removeSubject = function(subjectName, role, roleBindings, context) {
-      var matches = _.filter(roleBindings, {roleRef: {name: role}});
+    var removeSubject = function(subjectName, role, namespace, roleBindings, context) {
+      var matchingBindings = _.filter(roleBindings, {roleRef: {name: role}});
+
       return $q.all(
-        _.map(matches, function(binding) {
+        _.map(matchingBindings, function(binding) {
           var tpl = bindingTPL();
           binding = _.extend(tpl, binding);
           cleanBinding(binding);
-          binding.subjects = _.reject(binding.subjects, {name: subjectName});
+
+          binding.subjects = _.reject(binding.subjects, {
+            name: subjectName,
+            namespace: namespace
+          });
+
           return binding.subjects.length ?
                   DataService.update('rolebindings', binding.metadata.name, binding, context) :
                   DataService.delete('rolebindings', binding.metadata.name, context)
                   // For a delete, resp is simply a 201 or less useful object.
                   // Instead, this intercepts the response & returns the binding object
-                  // with the empty .subjects[] list. 
+                  // with the empty .subjects[] list.
                   .then(function() {
                     return binding;
                   });
diff --git a/app/views/membership.html b/app/views/membership.html
index da29e1475c..d47a31fbb2 100644
--- a/app/views/membership.html
+++ b/app/views/membership.html
@@ -113,7 +113,7 @@ <h3>
                     key="role.metadata.name"
                     key-help="roleHelp(role)"
                     show-action="mode.edit"
-                    action="confirmRemove(subject.name, subjectKind.name, role.metadata.name)"
+                    action="confirmRemove(subject.name, subjectKind.name, role.metadata.name, subject.namespace)"
                     action-title="Remove role {{role.metadata.name}} from {{subject.name}}"></action-chip>
                 </div>
                 <div
diff --git a/dist/scripts/scripts.js b/dist/scripts/scripts.js
index 03a37df93f..9a9f5fb49d 100644
--- a/dist/scripts/scripts.js
+++ b/dist/scripts/scripts.js
@@ -2514,17 +2514,18 @@ l.subjects.push(n);
 } else l.subjects = [ n ];
 return i(l), t.update("rolebindings", l.metadata.name, l, s);
 },
-removeSubject: function(n, a, o, s) {
-var c = _.filter(o, {
+removeSubject: function(n, a, o, s, c) {
+var l = _.filter(s, {
 roleRef: {
 name: a
 }
 });
-return e.all(_.map(c, function(e) {
+return e.all(_.map(l, function(e) {
 var a = r();
 return e = _.extend(a, e), i(e), e.subjects = _.reject(e.subjects, {
-name: n
-}), e.subjects.length ? t.update("rolebindings", e.metadata.name, e, s) : t.delete("rolebindings", e.metadata.name, s).then(function() {
+name: n,
+namespace: o
+}), e.subjects.length ? t.update("rolebindings", e.metadata.name, e, c) : t.delete("rolebindings", e.metadata.name, c).then(function() {
 return e;
 });
 }));
@@ -5222,20 +5223,20 @@ f = r, P(), k(f), angular.extend(a, {
 project: n,
 subjectKinds: E,
 canUpdateRolebindings: y("rolebindings", "update", g),
-confirmRemove: function(n, r, i) {
-var c = null, l = T(n, r, i, a.user.metadata.name);
-_.isEqual(n, a.user.metadata.name) && u.isLastRole(a.user.metadata.name, a.roleBindings) && (c = !0), o.open({
+confirmRemove: function(n, r, i, c) {
+var l = null, d = T(n, r, i, a.user.metadata.name);
+_.isEqual(n, a.user.metadata.name) && u.isLastRole(a.user.metadata.name, a.roleBindings) && (l = !0), o.open({
 animation: !0,
 templateUrl: "views/modals/confirm.html",
 controller: "ConfirmModalController",
 resolve: {
 modalConfig: function() {
-return l;
+return d;
 }
 }
 }).result.then(function() {
-m.removeSubject(n, i, a.roleBindings, f).then(function(e) {
-c ? t.url("./") : (s.getProjectRules(g, !0).then(function() {
+m.removeSubject(n, i, c, a.roleBindings, f).then(function(e) {
+l ? t.url("./") : (s.getProjectRules(g, !0).then(function() {
 P(e[0]);
 var t = y("rolebindings", "update", g);
 angular.extend(a, {
diff --git a/dist/scripts/templates.js b/dist/scripts/templates.js
index 5485a88953..8f797d7398 100644
--- a/dist/scripts/templates.js
+++ b/dist/scripts/templates.js
@@ -10702,7 +10702,7 @@ angular.module('openshiftConsoleTemplates', []).run(['$templateCache', function(
     "</div>\n" +
     "<div class=\"action-set\">\n" +
     "<div class=\"col-roles\">\n" +
-    "<action-chip ng-repeat=\"role in subject.roles\" key=\"role.metadata.name\" key-help=\"roleHelp(role)\" show-action=\"mode.edit\" action=\"confirmRemove(subject.name, subjectKind.name, role.metadata.name)\" action-title=\"Remove role {{role.metadata.name}} from {{subject.name}}\"></action-chip>\n" +
+    "<action-chip ng-repeat=\"role in subject.roles\" key=\"role.metadata.name\" key-help=\"roleHelp(role)\" show-action=\"mode.edit\" action=\"confirmRemove(subject.name, subjectKind.name, role.metadata.name, subject.namespace)\" action-title=\"Remove role {{role.metadata.name}} from {{subject.name}}\"></action-chip>\n" +
     "</div>\n" +
     "<div ng-if=\"mode.edit\" class=\"col-add-role\">\n" +
     "<div row>\n" +