diff options
Diffstat (limited to 'rt/etc/upgrade/4.0.1')
| -rw-r--r-- | rt/etc/upgrade/4.0.1/acl.Pg | 39 | ||||
| -rw-r--r-- | rt/etc/upgrade/4.0.1/content | 83 |
2 files changed, 122 insertions, 0 deletions
diff --git a/rt/etc/upgrade/4.0.1/acl.Pg b/rt/etc/upgrade/4.0.1/acl.Pg new file mode 100644 index 000000000..6b0e7bb3d --- /dev/null +++ b/rt/etc/upgrade/4.0.1/acl.Pg @@ -0,0 +1,39 @@ + +sub acl { + my $dbh = shift; + + my @acls; + + my @tables = qw ( + classes_id_seq + Classes + articles_id_seq + Articles + topics_id_seq + Topics + objecttopics_id_seq + ObjectTopics + objectclasses_id_seq + ObjectClasses + ); + + my $db_user = RT->Config->Get('DatabaseUser'); + + my $sequence_right + = ( $dbh->{pg_server_version} >= 80200 ) + ? "USAGE, SELECT, UPDATE" + : "SELECT, UPDATE"; + + foreach my $table (@tables) { + # Tables are upper-case, sequences are lowercase + if ( $table =~ /^[a-z]/ ) { + push @acls, "GRANT $sequence_right ON $table TO \"$db_user\";" + } + else { + push @acls, "GRANT SELECT, INSERT, UPDATE, DELETE ON $table TO \"$db_user\";" + } + } + return (@acls); +} + +1; diff --git a/rt/etc/upgrade/4.0.1/content b/rt/etc/upgrade/4.0.1/content new file mode 100644 index 000000000..9b74ff1a8 --- /dev/null +++ b/rt/etc/upgrade/4.0.1/content @@ -0,0 +1,83 @@ +@Initial = ( + sub { + use strict; + $RT::Logger->debug('Removing all delegated rights'); + + my $acl = RT::ACL->new(RT->SystemUser); + my $groupjoin = $acl->NewAlias('Groups'); + $acl->Join( ALIAS1 => 'main', + FIELD1 => 'PrincipalId', + ALIAS2 => $groupjoin, + FIELD2 => 'id' + ); + $acl->Limit( ALIAS => $groupjoin, + FIELD => 'Domain', + OPERATOR => '=', + VALUE => 'Personal', + ); + + while ( my $ace = $acl->Next ) { + my ( $ok, $msg ) = $ace->Delete(); + + if ( !$ok ) { + $RT::Logger->warn( "Unable to delete ACE " . $ace->id . ": " . $msg ); + } + } + + my $groups = RT::Groups->new(RT->SystemUser); + $groups->Limit( FIELD => 'Domain', + OPERATOR => '=', + VALUE => 'Personal' + ); + while ( my $group = $groups->Next ) { + my $members = $group->MembersObj(); + while ( my $member = $members->Next ) { + my ( $ok, $msg ) = $group->DeleteMember( $member->MemberId ); + if ( !$ok ) { + $RT::Logger->warn( "Unable to remove group member " + . $member->id . ": " + . $msg ); + } + } + $group->PrincipalObj->Delete; + $group->RT::Record::Delete(); + } + }, + sub { + use strict; + $RT::Logger->debug('Removing all Delegate and PersonalGroup rights'); + + my $acl = RT::ACL->new(RT->SystemUser); + for my $right (qw/AdminOwnPersonalGroups AdminAllPersonalGroups DelegateRights/) { + $acl->Limit( FIELD => 'RightName', VALUE => $right ); + } + + while ( my $ace = $acl->Next ) { + my ( $ok, $msg ) = $ace->Delete(); + $RT::Logger->debug("Removing ACE ".$ace->id." for right ".$ace->__Value('RightName')); + + if ( !$ok ) { + $RT::Logger->warn( "Unable to delete ACE " . $ace->id . ": " . $msg ); + } + } + }, + sub { + use strict; + $RT::Logger->debug('Removing unimplemented RejectTicket and ModifyTicketStatus rights'); + + my $acl = RT::ACL->new(RT->SystemUser); + for my $right (qw/RejectTicket ModifyTicketStatus/) { + $acl->Limit( FIELD => 'RightName', VALUE => $right ); + } + + while ( my $ace = $acl->Next ) { + my ( $ok, $msg ) = $ace->Delete(); + $RT::Logger->debug("Removing ACE ".$ace->id." for right ".$ace->__Value('RightName')); + + if ( !$ok ) { + $RT::Logger->warn( "Unable to delete ACE " . $ace->id . ": " . $msg ); + } + } + }, +); + |