diff options
Diffstat (limited to 'rt/docs/design_docs/acls')
-rw-r--r-- | rt/docs/design_docs/acls | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/rt/docs/design_docs/acls b/rt/docs/design_docs/acls new file mode 100644 index 0000000..bb093ad --- /dev/null +++ b/rt/docs/design_docs/acls @@ -0,0 +1,50 @@ + + +Does principal baz have right foo for object bar + +What rights does user baz have for object bar + +# {{{ Which principals have right foo for object bar + + +if ($args{'ObjectType'} eq 'Ticket') { + $or_check_ticket_roles = " OR ( Groups.Domain = 'TicketRole' AND Groups.Instance = '".$args{'ObjectId'}."') "; + # If we're looking at ticket rights, we also want to look at the associated queue rights. + # this is a little bit hacky, but basically, now that we've done the ticket roles magic, we load the queue object + # and ask all the rest of our questions about the queue. + my $tick = RT::Ticket->new($RT::SystemUser); + $tick->Load($args{'ObjectId'}); + $args{'ObjectType'} = 'Queue'; + $args{'ObjectId'} = $tick->QueueObj->Id(); + +} +if ($args{'ObjectType'} eq 'Queue') { + $or_check_roles = " OR ( ( (Groups.Domain = 'QueueRole' AND Groups.Instance = '".$args{'ObjectId'}."') $or_check_ticket_roles ) + AND Groups.Type = ACL.PrincipalType AND Groups.Id = Principals.ObjectId AND Principals.PrincipalType = 'Group') "; +} + +if (defined $args{'ObjectType'} ) { + $or_look_at_object_rights = " OR (ACL.ObjectType = '".$args{'ObjectType'}."' AND ACL.ObjectId = '".$args{'ObjectId'}."') "; + +} + +my $query = "SELECT Users.* from ACL, Groups, Users, Principals, Principals UserPrinc, CachedGroupMembers WHERE + Users.id = UserPrinc.ObjectId AND UserPrinc.PrincipalType = 'User' AND + Principals.Id = CachedGroupMembers.GroupId AND + CachedGroupMembers.MemberId = UserPrinc.ObjectId AND + UserPrinc.PrincipalType = 'User' AND + (ACL.RightName = 'SuperUser' OR ACL.RightName = '$right') AND + (ACL.ObjectType = 'System' $or_look_at_object_rights) AND + ( + (ACL.PrincipalId = Principals.Id AND + Principals.ObjectId = Groups.Id AND + ACL.PrincipalType = 'Group' AND + (Groups.Domain = 'SystemInternal' OR Groups.Domain = 'UserDefined' OR Groups.Domain = 'ACLEquivalence') + ) + $or_check_roles + )"; + +# }}} + +What objects does principal baz have right foo for +; |