diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2012-06-07 16:55:45 -0700 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2012-06-07 16:55:45 -0700 |
| commit | c24d6e2242ae0e026684b8f95decf156aba6e75e (patch) | |
| tree | 8597d00e2e6bf2cf400437b9344f43b1500da412 /rt/lib/RT/User.pm | |
| parent | 6686c29104e555ea23446fe1db330664fa110bc0 (diff) | |
rt 4.0.6
Diffstat (limited to 'rt/lib/RT/User.pm')
| -rwxr-xr-x | rt/lib/RT/User.pm | 74 |
1 files changed, 49 insertions, 25 deletions
diff --git a/rt/lib/RT/User.pm b/rt/lib/RT/User.pm index 2a14cd154..9b4a82683 100755 --- a/rt/lib/RT/User.pm +++ b/rt/lib/RT/User.pm @@ -1206,6 +1206,37 @@ sub HasRight { return $self->PrincipalObj->HasRight(@_); } +=head2 CurrentUserCanSee [FIELD] + +Returns true if the current user can see the user, based on if it is +public, ourself, or we have AdminUsers + +=cut + +sub CurrentUserCanSee { + my $self = shift; + my ($what) = @_; + + # If it's public, fine. Note that $what may be "transaction", which + # doesn't have an Accessible value, and thus falls through below. + if ( $self->_Accessible( $what, 'public' ) ) { + return 1; + } + + # Users can see their own properties + elsif ( defined($self->Id) && $self->CurrentUser->Id == $self->Id ) { + return 1; + } + + # If the user has the admin users right, that's also enough + elsif ( $self->CurrentUser->HasRight( Right => 'AdminUsers', Object => $RT::System) ) { + return 1; + } + else { + return 0; + } +} + =head2 CurrentUserCanModify RIGHT If the user has rights for this object, either because @@ -1334,12 +1365,13 @@ sub Stylesheet { my $style = RT->Config->Get('WebDefaultStylesheet', $self->CurrentUser); + if (RT::Interface::Web->ComponentPathIsSafe($style)) { + my @css_paths = map { $_ . '/NoAuth/css' } RT::Interface::Web->ComponentRoots; - my @css_paths = map { $_ . '/NoAuth/css' } RT::Interface::Web->ComponentRoots; - - for my $css_path (@css_paths) { - if (-d "$css_path/$style") { - return $style + for my $css_path (@css_paths) { + if (-d "$css_path/$style") { + return $style + } } } @@ -1409,6 +1441,12 @@ sub WatchedQueues { FIELD => 'MemberId', VALUE => $self->PrincipalId, ); + $watched_queues->Limit( + ALIAS => $queues_alias, + FIELD => 'Disabled', + VALUE => 0, + ); + $RT::Logger->debug("WatchedQueues got " . $watched_queues->Count . " queues"); @@ -1447,7 +1485,9 @@ sub _Set { if ( $ret == 0 ) { return ( 0, $msg ); } if ( $args{'RecordTransaction'} == 1 ) { - + if ($args{'Field'} eq "Password") { + $args{'Value'} = $Old = '********'; + } my ( $Trans, $Msg, $TransObj ) = $self->_NewTransaction( Type => $args{'TransactionType'}, Field => $args{'Field'}, @@ -1473,25 +1513,9 @@ sub _Value { my $self = shift; my $field = shift; - #if the field is public, return it. - if ( $self->_Accessible( $field, 'public' ) ) { - return ( $self->SUPER::_Value($field) ); - - } - - #If the user wants to see their own values, let them - # TODO figure ouyt a better way to deal with this - elsif ( defined($self->Id) && $self->CurrentUser->Id == $self->Id ) { - return ( $self->SUPER::_Value($field) ); - } - - #If the user has the admin users right, return the field - elsif ( $self->CurrentUser->HasRight(Right =>'AdminUsers', Object => $RT::System) ) { - return ( $self->SUPER::_Value($field) ); - } else { - return (undef); - } - + # Defer to the abstraction above to know if the field can be read + return $self->SUPER::_Value($field) if $self->CurrentUserCanSee($field); + return undef; } =head2 FriendlyName |