1 files changed, 192 insertions, 36 deletions

diff --git a/rt/docs/design_docs/acls b/rt/docs/design_docs/acls
index bb093adcb..3b9d8567c 100644
--- a/rt/docs/design_docs/acls
+++ b/rt/docs/design_docs/acls
@@ -1,50 +1,206 @@
+$Header: /home/cvs/cvsroot/freeside/rt/docs/design_docs/acls,v 1.1 2002-08-12 06:17:07 ivan Exp $
 
 
-Does principal baz have right foo for object bar
 
-What rights does user baz have for object bar
+# {{{ Requirements 
 
-# {{{ Which principals have right foo for object bar
+Here's the rough scheme I was thinking of for RT2 acls. Thoughts? I think
+it's a lot more flexible than RT 1.0, but not so crazily complex that
+it will be impossible to implement.  One of the "interesting" features
+is the ability to grant acls based on watcher status. This now lives
+in design-docs/acls
 
+        jesse
 
-if ($args{'ObjectType'} eq 'Ticket') {
-     $or_check_ticket_roles = " OR ( Groups.Domain = 'TicketRole' AND Groups.Instance = '".$args{'ObjectId'}."') ";
-     # If we're looking at ticket rights, we also want to look at the associated queue rights.
-     # this is a little bit hacky, but basically, now that we've done the ticket roles magic, we load the queue object
-     # and ask all the rest of our questions about the queue.
-     my $tick = RT::Ticket->new($RT::SystemUser);
-     $tick->Load($args{'ObjectId'});
-     $args{'ObjectType'} = 'Queue';
-     $args{'ObjectId'} = $tick->QueueObj->Id();
+Who can rights be granted to:
 
-}
-if ($args{'ObjectType'} eq 'Queue') {
-     $or_check_roles = " OR ( ( (Groups.Domain = 'QueueRole' AND Groups.Instance = '".$args{'ObjectId'}."') $or_check_ticket_roles ) 
-                            AND Groups.Type = ACL.PrincipalType AND Groups.Id = Principals.ObjectId AND Principals.PrincipalType = 'Group') ";
-}
+	users whose id is <foo>
+	users who are watchers of type <requestor/cc/admincc> for <queue/ticket> <id>
+	users who are watchers of type <requestor/cc/admincc> for <this ticket / this queue>
+
+
+what scope do these rights apply to
+	queue <id>
+	system
+	
+
+What rights can be granted
+	Display Ticket
+	Manipulate Ticket
+		Only users with manipulate ticket level access will see comments
+	Maniplulate Ticket Status
+	Create Ticket	
+
+	Admin Queue Watchers 
+	Admin Ticket Watchers
+	Admin user accounts
+	Admin scrips
+	Admin scripscopes
+	Admin Queue ACLS
+	Admin System ACLs
+
+# }}}
+
+
+# {{{ Prinicpals  These are the entities in your Access Control Element
+#
+
+Principal: What user does this right apply to
+
+	Made up of: 
+		PrincipalScope, PrincipalType and PrincipalId
+
+	
+	User:	
+		Scope: 	User	
+		Type: 	null
+		Id:	A userid or 0
+
+	Owner:
+		Scope:  Owner
+		Type: 	null
+		Id:	none
+
+
+	Watchers:
+
+		Scope: Ticket
+		Type:	Requestors; Cc; AdminCc
+		Id:	A ticket id or 0 for "this ticket"
+
+		Scope: Queue
+		Type:	Cc; AdminCc
+		Id:	A queue id or 0 for "this queue"
+
+
+# }}}
+
+# {{{ Object: What object does this right apply to
+
+	Object is composed of an ObjectType and an ObjectId
+
+	Type:	System 	
+	Id:	NULL
+
+	Type:	Queue
+	Id:	Integer ref to queue id or 0 for all queues
+	
+# }}}
+
+# {{{ Right: (What does this entry give the principal the right to do)
+
+
+
+	For the Object System:
+		System::SetACL
+		System::AdminScrips
 
-if (defined $args{'ObjectType'} ) {
-     $or_look_at_object_rights = " OR (ACL.ObjectType = '".$args{'ObjectType'}."'  AND ACL.ObjectId = '".$args{'ObjectId'}."') ";
+		User::Display
+		User::Create
+		User::Destroy
+		User::Modify
+		User::SetPassword
 
+
+
+	For the Object "Queue":
+		Queue::Admin
+		Queue::SetACL
+		Queue::Create
+		Queue::Display
+		Queue::Destroy
+		Queue::ModifyWatchers
+		Ticket::Create
+		Ticket::Destory
+		Ticket::Display
+		Ticket::Update
+		Ticket::UpdateRequestors
+		Ticket::UpdateCc
+		Ticket::UpdateAdminCc
+		Ticket::NotifyWatchers
+
+		
+		DEFERRED
+
+		Ticket::SetStatus:	(Values)
+					Open
+					Resolved
+					Stalled
+					<null> means any
+
+
+# }}}
+
+
+# {{{ Implementation:
+
+# {{{ SQL Schema 
+CREATE TABLE ACL (
+	id int not null primary_key autoincrement,
+	PrinicpalId INT(11),
+	PrincipalType VARCHAR(16),
+	PrincipalScope VARCHAR(16),
+	ObjectType VARCHAR(16),
+	ObjectId  INT,
+	Right VARCHAR(16)
+);
+
+# }}}
+
+# {{{ perl implementation of rights searches
+
+sub Principals {
+if (defined $Ticket) {
+	return "($UserPrincipal) OR ($OwnerPrincipal) OR ($WatchersPrincipal)";
+	}
+else {
+	return 	 "($UserPrincipal) OR ($WatchersPrincipal)";
+	}  
 }
+	
+$Principals = " ($UserPrincipal) OR ($OwnerPrincipal) OR ($WatchersPrincipal)";
+
+$UserPrincipal = " ( ACE.PrincipalScope = 'User') AND 
+		   ( ACE.PrincipalId = $User OR ACE.PrincipalId = 0)";
 
-my $query = "SELECT Users.*  from ACL, Groups, Users, Principals, Principals UserPrinc, CachedGroupMembers  WHERE  
-        Users.id = UserPrinc.ObjectId AND UserPrinc.PrincipalType = 'User' AND
-        Principals.Id = CachedGroupMembers.GroupId AND 
-        CachedGroupMembers.MemberId = UserPrinc.ObjectId AND 
-        UserPrinc.PrincipalType = 'User'  AND
-        (ACL.RightName = 'SuperUser' OR  ACL.RightName = '$right') AND
-        (ACL.ObjectType = 'System' $or_look_at_object_rights) AND 
-        (
-                (ACL.PrincipalId = Principals.Id AND 
-                 Principals.ObjectId = Groups.Id AND 
-                 ACL.PrincipalType = 'Group' AND 
-                 (Groups.Domain = 'SystemInternal' OR Groups.Domain = 'UserDefined' OR Groups.Domain = 'ACLEquivalence')
-                ) 
-           $or_check_roles
-        )";
+$OwnerPrincipal = " ( ACE.PrinciaplScope = 'Owner') AND 
+		      ( Tickets.Owner = "$User ) AND	
+		      ( Tickets.Id = $Ticket)";
+
+$WatchersPrincipal = " ( ACE.PrincipalScope = Watchers.Scope ) AND 
+		      ( ACE.PrincipalType = Watchers.Type ) AND 
+		      ( ACL.PrincipalId = Watchers.Value ) AND 
+		      ( Watchers.Owner = $User )";
+
+$QueueObject = "( ACE.ObjectType = 'Queue' and (ACE.ObjectId = $Queue OR ACE.ObjectId = 0)";
+
+$SystemObject = "( ACE.ObjectType = 'System' )";
+
+
+# This select statement would figure out if A user has $Right at the queue level
+
+SELECT ACE.id from ACE, Watchers, Tickets WHERE ( 
+	     $QueueObject
+	     AND ( ACE.Right = $Right) 
+	     AND ($Principals))
+
+# This select statement would figure outif a user has $Right for the "System"
+
+SELECT ACE.id from ACE, Watchers, Tickets WHERE ( 
+	     ($SystemObject) AND ( ACE.Right = $Right ) AND ($Principals))
 
 # }}}
 
-What objects does principal baz have right foo for
-;
+# }}}
+
+# {{{ Examples
+#
+
+# }}}	
+
+
+
+Unaddressed issues:
+
+	There needs to be a more refined method for grouping users, such that members of the customer service department
+can't change sysadmins' passwords.