From c63ab7e6ca9154250f128f64a3c02050de2c016a Mon Sep 17 00:00:00 2001
From: Holger Just <holger@plan.io>
Date: Mon, 24 Oct 2016 16:55:05 +0200
Subject: [PATCH] Explicitly remove the potential global scope on roles, users,
 and groups when querying and creating builtin objects

---
 app/models/group_builtin.rb | 4 ++--
 app/models/role.rb          | 4 ++--
 app/models/user.rb          | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/models/group_builtin.rb b/app/models/group_builtin.rb
index 9cedb61..29e1d8e 100644
--- a/app/models/group_builtin.rb
+++ b/app/models/group_builtin.rb
@@ -37,12 +37,12 @@ class GroupBuiltin < Group
   class << self
     def load_instance
       return nil if self == GroupBuiltin
-      instance = order('id').first || create_instance
+      instance = unscoped.order('id').first || create_instance
     end
 
     def create_instance
       raise 'The builtin group already exists.' if exists?
-      instance = new
+      instance = unscoped.new
       instance.lastname = name
       instance.save :validate => false
       raise 'Unable to create builtin group.' if instance.new_record?
diff --git a/app/models/role.rb b/app/models/role.rb
index 8b4dbde..b85d5a6 100644
--- a/app/models/role.rb
+++ b/app/models/role.rb
@@ -294,9 +294,9 @@ private
   end
 
   def self.find_or_create_system_role(builtin, name)
-    role = where(:builtin => builtin).first
+    role = unscoped.where(:builtin => builtin).first
     if role.nil?
-      role = create(:name => name) do |r|
+      role = unscoped.create(:name => name) do |r|
         r.builtin = builtin
       end
       raise "Unable to create the #{name} role (#{role.errors.full_messages.join(',')})." if role.new_record?
diff --git a/app/models/user.rb b/app/models/user.rb
index 1a6b621..53e559f 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -749,9 +749,9 @@ class User < Principal
   # Returns the anonymous user.  If the anonymous user does not exist, it is created.  There can be only
   # one anonymous user per database.
   def self.anonymous
-    anonymous_user = AnonymousUser.first
+    anonymous_user = AnonymousUser.unscoped.first
     if anonymous_user.nil?
-      anonymous_user = AnonymousUser.create(:lastname => 'Anonymous', :firstname => '', :login => '', :status => 0)
+      anonymous_user = AnonymousUser.unscoped.create(:lastname => 'Anonymous', :firstname => '', :login => '', :status => 0)
       raise 'Unable to create the anonymous user.' if anonymous_user.new_record?
     end
     anonymous_user
-- 
2.10.1