summaryrefslogtreecommitdiff
path: root/rt/docs/design_docs/acls
diff options
context:
space:
mode:
Diffstat (limited to 'rt/docs/design_docs/acls')
-rw-r--r--rt/docs/design_docs/acls228
1 files changed, 36 insertions, 192 deletions
diff --git a/rt/docs/design_docs/acls b/rt/docs/design_docs/acls
index 3b9d856..bb093ad 100644
--- a/rt/docs/design_docs/acls
+++ b/rt/docs/design_docs/acls
@@ -1,206 +1,50 @@
-$Header: /home/cvs/cvsroot/freeside/rt/docs/design_docs/acls,v 1.1 2002-08-12 06:17:07 ivan Exp $
+Does principal baz have right foo for object bar
-# {{{ Requirements
+What rights does user baz have for object bar
-Here's the rough scheme I was thinking of for RT2 acls. Thoughts? I think
-it's a lot more flexible than RT 1.0, but not so crazily complex that
-it will be impossible to implement. One of the "interesting" features
-is the ability to grant acls based on watcher status. This now lives
-in design-docs/acls
+# {{{ Which principals have right foo for object bar
- jesse
-Who can rights be granted to:
+if ($args{'ObjectType'} eq 'Ticket') {
+ $or_check_ticket_roles = " OR ( Groups.Domain = 'TicketRole' AND Groups.Instance = '".$args{'ObjectId'}."') ";
+ # If we're looking at ticket rights, we also want to look at the associated queue rights.
+ # this is a little bit hacky, but basically, now that we've done the ticket roles magic, we load the queue object
+ # and ask all the rest of our questions about the queue.
+ my $tick = RT::Ticket->new($RT::SystemUser);
+ $tick->Load($args{'ObjectId'});
+ $args{'ObjectType'} = 'Queue';
+ $args{'ObjectId'} = $tick->QueueObj->Id();
- users whose id is <foo>
- users who are watchers of type <requestor/cc/admincc> for <queue/ticket> <id>
- users who are watchers of type <requestor/cc/admincc> for <this ticket / this queue>
-
-
-what scope do these rights apply to
- queue <id>
- system
-
-
-What rights can be granted
- Display Ticket
- Manipulate Ticket
- Only users with manipulate ticket level access will see comments
- Maniplulate Ticket Status
- Create Ticket
-
- Admin Queue Watchers
- Admin Ticket Watchers
- Admin user accounts
- Admin scrips
- Admin scripscopes
- Admin Queue ACLS
- Admin System ACLs
-
-# }}}
-
-
-# {{{ Prinicpals These are the entities in your Access Control Element
-#
-
-Principal: What user does this right apply to
-
- Made up of:
- PrincipalScope, PrincipalType and PrincipalId
-
-
- User:
- Scope: User
- Type: null
- Id: A userid or 0
-
- Owner:
- Scope: Owner
- Type: null
- Id: none
-
-
- Watchers:
-
- Scope: Ticket
- Type: Requestors; Cc; AdminCc
- Id: A ticket id or 0 for "this ticket"
-
- Scope: Queue
- Type: Cc; AdminCc
- Id: A queue id or 0 for "this queue"
-
-
-# }}}
-
-# {{{ Object: What object does this right apply to
-
- Object is composed of an ObjectType and an ObjectId
-
- Type: System
- Id: NULL
-
- Type: Queue
- Id: Integer ref to queue id or 0 for all queues
-
-# }}}
-
-# {{{ Right: (What does this entry give the principal the right to do)
-
-
-
- For the Object System:
- System::SetACL
- System::AdminScrips
-
- User::Display
- User::Create
- User::Destroy
- User::Modify
- User::SetPassword
-
-
-
- For the Object "Queue":
- Queue::Admin
- Queue::SetACL
- Queue::Create
- Queue::Display
- Queue::Destroy
- Queue::ModifyWatchers
- Ticket::Create
- Ticket::Destory
- Ticket::Display
- Ticket::Update
- Ticket::UpdateRequestors
- Ticket::UpdateCc
- Ticket::UpdateAdminCc
- Ticket::NotifyWatchers
-
-
- DEFERRED
-
- Ticket::SetStatus: (Values)
- Open
- Resolved
- Stalled
- <null> means any
-
-
-# }}}
-
-
-# {{{ Implementation:
-
-# {{{ SQL Schema
-CREATE TABLE ACL (
- id int not null primary_key autoincrement,
- PrinicpalId INT(11),
- PrincipalType VARCHAR(16),
- PrincipalScope VARCHAR(16),
- ObjectType VARCHAR(16),
- ObjectId INT,
- Right VARCHAR(16)
-);
-
-# }}}
-
-# {{{ perl implementation of rights searches
-
-sub Principals {
-if (defined $Ticket) {
- return "($UserPrincipal) OR ($OwnerPrincipal) OR ($WatchersPrincipal)";
- }
-else {
- return "($UserPrincipal) OR ($WatchersPrincipal)";
- }
}
-
-$Principals = " ($UserPrincipal) OR ($OwnerPrincipal) OR ($WatchersPrincipal)";
-
-$UserPrincipal = " ( ACE.PrincipalScope = 'User') AND
- ( ACE.PrincipalId = $User OR ACE.PrincipalId = 0)";
-
-$OwnerPrincipal = " ( ACE.PrinciaplScope = 'Owner') AND
- ( Tickets.Owner = "$User ) AND
- ( Tickets.Id = $Ticket)";
-
-$WatchersPrincipal = " ( ACE.PrincipalScope = Watchers.Scope ) AND
- ( ACE.PrincipalType = Watchers.Type ) AND
- ( ACL.PrincipalId = Watchers.Value ) AND
- ( Watchers.Owner = $User )";
-
-$QueueObject = "( ACE.ObjectType = 'Queue' and (ACE.ObjectId = $Queue OR ACE.ObjectId = 0)";
-
-$SystemObject = "( ACE.ObjectType = 'System' )";
-
-
-# This select statement would figure out if A user has $Right at the queue level
-
-SELECT ACE.id from ACE, Watchers, Tickets WHERE (
- $QueueObject
- AND ( ACE.Right = $Right)
- AND ($Principals))
+if ($args{'ObjectType'} eq 'Queue') {
+ $or_check_roles = " OR ( ( (Groups.Domain = 'QueueRole' AND Groups.Instance = '".$args{'ObjectId'}."') $or_check_ticket_roles )
+ AND Groups.Type = ACL.PrincipalType AND Groups.Id = Principals.ObjectId AND Principals.PrincipalType = 'Group') ";
+}
-# This select statement would figure outif a user has $Right for the "System"
+if (defined $args{'ObjectType'} ) {
+ $or_look_at_object_rights = " OR (ACL.ObjectType = '".$args{'ObjectType'}."' AND ACL.ObjectId = '".$args{'ObjectId'}."') ";
-SELECT ACE.id from ACE, Watchers, Tickets WHERE (
- ($SystemObject) AND ( ACE.Right = $Right ) AND ($Principals))
+}
-# }}}
+my $query = "SELECT Users.* from ACL, Groups, Users, Principals, Principals UserPrinc, CachedGroupMembers WHERE
+ Users.id = UserPrinc.ObjectId AND UserPrinc.PrincipalType = 'User' AND
+ Principals.Id = CachedGroupMembers.GroupId AND
+ CachedGroupMembers.MemberId = UserPrinc.ObjectId AND
+ UserPrinc.PrincipalType = 'User' AND
+ (ACL.RightName = 'SuperUser' OR ACL.RightName = '$right') AND
+ (ACL.ObjectType = 'System' $or_look_at_object_rights) AND
+ (
+ (ACL.PrincipalId = Principals.Id AND
+ Principals.ObjectId = Groups.Id AND
+ ACL.PrincipalType = 'Group' AND
+ (Groups.Domain = 'SystemInternal' OR Groups.Domain = 'UserDefined' OR Groups.Domain = 'ACLEquivalence')
+ )
+ $or_check_roles
+ )";
# }}}
-# {{{ Examples
-#
-
-# }}}
-
-
-
-Unaddressed issues:
-
- There needs to be a more refined method for grouping users, such that members of the customer service department
-can't change sysadmins' passwords.
+What objects does principal baz have right foo for
+;