#$Header: /home/cvs/cvsroot/freeside/rt/lib/RT/ACE.pm,v 1.1 2002-08-12 06:17:07 ivan Exp $
=head1 NAME
RT::ACE - RT\'s ACE object
=head1 SYNOPSIS
use RT::ACE;
my $ace = new RT::ACE($CurrentUser);
=head1 DESCRIPTION
=head1 METHODS
=begin testing
ok(require RT::TestHarness);
ok(require RT::ACE);
=end testing
=cut
package RT::ACE;
use RT::Record;
@ISA= qw(RT::Record);
use vars qw (%SCOPES
%QUEUERIGHTS
%SYSTEMRIGHTS
%LOWERCASERIGHTNAMES
);
%SCOPES = (
System => 'System-level right',
Queue => 'Queue-level right'
);
# {{{ Descriptions of rights
# Queue rights are the sort of queue rights that can only be granted
# to real people or groups
%QUEUERIGHTS = (
SeeQueue => 'Can this principal see this queue',
AdminQueue => 'Create, delete and modify queues',
ShowACL => 'Display Access Control List',
ModifyACL => 'Modify Access Control List',
ModifyQueueWatchers => 'Modify the queue watchers',
AdminKeywordSelects => 'Create, delete and modify keyword selections',
ModifyTemplate => 'Modify email templates for this queue',
ShowTemplate => 'Display email templates for this queue',
ModifyScrips => 'Modify Scrips for this queue',
ShowScrips => 'Display Scrips for this queue',
ShowTicket => 'Show ticket summaries',
ShowTicketComments => 'Show ticket private commentary',
Watch => 'Sign up as a ticket Requestor or ticket or queue Cc',
WatchAsAdminCc => 'Sign up as a ticket or queue AdminCc',
CreateTicket => 'Create tickets in this queue',
ReplyToTicket => 'Reply to tickets',
CommentOnTicket => 'Comment on tickets',
OwnTicket => 'Own tickets',
ModifyTicket => 'Modify tickets',
DeleteTicket => 'Delete tickets'
);
# System rights are rights granted to the whole system
%SYSTEMRIGHTS = (
SuperUser => 'Do anything and everything',
AdminKeywords => 'Creatte, delete and modify keywords',
AdminGroups => 'Create, delete and modify groups',
AdminUsers => 'Create, Delete and Modify users',
ModifySelf => 'Modify one\'s own RT account',
);
# }}}
# {{{ Descriptions of principals
%TICKET_METAPRINCIPALS = ( Owner => 'The owner of a ticket',
Requestor => 'The requestor of a ticket',
Cc => 'The CC of a ticket',
AdminCc => 'The administrative CC of a ticket',
);
# }}}
# {{{ We need to build a hash of all rights, keyed by lower case names
#since you can't do case insensitive hash lookups
foreach $right (keys %QUEUERIGHTS) {
$LOWERCASERIGHTNAMES{lc $right}=$right;
}
foreach $right (keys %SYSTEMRIGHTS) {
$LOWERCASERIGHTNAMES{lc $right}=$right;
}
# }}}
# {{{ sub _Init
sub _Init {
my $self = shift;
$self->{'table'} = "ACL";
return($self->SUPER::_Init(@_));
}
# }}}
# {{{ sub LoadByValues
=head2 LoadByValues PARAMHASH
Load an ACE by specifying a paramhash with the following fields:
PrincipalId => undef,
PrincipalType => undef,
RightName => undef,
RightScope => undef,
RightAppliesTo => undef,
=cut
sub LoadByValues {
my $self = shift;
my %args = (PrincipalId => undef,
PrincipalType => undef,
RightName => undef,
RightScope => undef,
RightAppliesTo => undef,
@_);
$self->LoadByCols (PrincipalId => $args{'PrincipalId'},
PrincipalType => $args{'PrincipalType'},
RightName => $args{'RightName'},
RightScope => $args{'RightScope'},
RightAppliesTo => $args{'RightAppliesTo'}
);
#If we couldn't load it.
unless ($self->Id) {
return (0, "ACE not found");
}
# if we could
return ($self->Id, "ACE Loaded");
}
# }}}
# {{{ sub Create
=head2 Create <PARAMS>
PARAMS is a parameter hash with the following elements:
PrincipalType => "Queue"|"User"
PrincipalId => an intentifier you can use to ->Load a user or group
RightName => the name of a right. in any case
RightScope => "System" | "Queue"
RightAppliesTo => a queue id or undef
=cut
sub Create {
my $self = shift;
my %args = ( PrincipalId => undef,
PrincipalType => undef,
RightName => undef,
RightScope => undef,
RightAppliesTo => undef,
@_
);
# {{{ Validate the principal
my ($princ_obj);
if ($args{'PrincipalType'} eq 'User') {
$princ_obj = new RT::User($RT::SystemUser);
}
elsif ($args{'PrincipalType'} eq 'Group') {
require RT::Group;
$princ_obj = new RT::Group($RT::SystemUser);
}
else {
return (0, 'Principal type '.$args{'PrincipalType'} . ' is invalid.');
}
$princ_obj->Load($args{'PrincipalId'});
my $princ_id = $princ_obj->Id();
unless ($princ_id) {
return (0, 'Principal '.$args{'PrincipalId'}.' not found.');
}
# }}}
#TODO allow loading of queues by name.
# {{{ Check the ACL
if ($args{'RightScope'} eq 'System') {
unless ($self->CurrentUserHasSystemRight('ModifyACL')) {
$RT::Logger->error("Permission Denied.");
return(undef);
}
}
elsif ($args{'RightScope'} eq 'Queue') {
unless ($self->CurrentUserHasQueueRight( Queue => $args{'RightAppliesTo'},
Right => 'ModifyACL')) {
return (0, 'Permission Denied.');
}
}
#If it's not a scope we recognise, something scary is happening.
else {
$RT::Logger->err("RT::ACE->Create got a scope it didn't recognize: ".
$args{'RightScope'}." Bailing. \n");
return(0,"System error. Unable to grant rights.");
}
# }}}
# {{{ Canonicalize and check the right name
$args{'RightName'} = $self->CanonicalizeRightName($args{'RightName'});
#check if it's a valid RightName
if ($args{'RightScope'} eq 'Queue') {
unless (exists $QUEUERIGHTS{$args{'RightName'}}) {
return(0, 'Invalid right');
}
}
elsif ($args{'RightScope' eq 'System'}) {
unless (exists $SYSTEMRIGHTS{$args{'RightName'}}) {
return(0, 'Invalid right');
}
}
# }}}
# Make sure the right doesn't already exist.
$self->LoadByCols (PrincipalId => $princ_id,
PrincipalType => $args{'PrincipalType'},
RightName => $args{'RightName'},
RightScope => $args {'RightScope'},
RightAppliesTo => $args{'RightAppliesTo'}
);
if ($self->Id) {
return (0, 'That user already has that right');
}
my $id = $self->SUPER::Create( PrincipalId => $princ_id,
PrincipalType => $args{'PrincipalType'},
RightName => $args{'RightName'},
RightScope => $args {'RightScope'},
RightAppliesTo => $args{'RightAppliesTo'}
);
if ($id > 0 ) {
return ($id, 'Right Granted');
}
else {
$RT::Logger->err('System error. right not granted.');
return(0, 'System Error. right not granted');
}
}
# }}}
# {{{ sub Delete
=head2 Delete
Delete this object.
=cut
sub Delete {
my $self = shift;
unless ($self->CurrentUserHasRight('ModifyACL')) {
return (0, 'Permission Denied');
}
my ($val,$msg) = $self->SUPER::Delete(@_);
if ($val) {
return ($val, 'ACE Deleted');
}
else {
return (0, 'ACE could not be deleted');
}
}
# }}}
# {{{ sub _BootstrapRight
=head2 _BootstrapRight
Grant a right with no error checking and no ACL. this is _only_ for
installation. If you use this routine without jesse@fsck.com's explicit
written approval, he will hunt you down and make you spend eternity
translating mozilla's code into FORTRAN or intercal.
=cut
sub _BootstrapRight {
my $self = shift;
my %args = @_;
my $id = $self->SUPER::Create( PrincipalId => $args{'PrincipalId'},
PrincipalType => $args{'PrincipalType'},
RightName => $args{'RightName'},
RightScope => $args {'RightScope'},
RightAppliesTo => $args{'RightAppliesTo'}
);
if ($id > 0 ) {
return ($id);
}
else {
$RT::Logger->err('System error. right not granted.');
return(undef);
}
}
# }}}
# {{{ sub CanonicalizeRightName
=head2 CanonicalizeRightName <RIGHT>
Takes a queue or system right name in any case and returns it in
the correct case. If it's not found, will return undef.
=cut
sub CanonicalizeRightName {
my $self = shift;
my $right = shift;
$right = lc $right;
if (exists $LOWERCASERIGHTNAMES{"$right"}) {
return ($LOWERCASERIGHTNAMES{"$right"});
}
else {
return (undef);
}
}
# }}}
# {{{ sub QueueRights
=head2 QueueRights
Returns a hash of all the possible rights at the queue scope
=cut
sub QueueRights {
return (%QUEUERIGHTS);
}
# }}}
# {{{ sub SystemRights
=head2 SystemRights
Returns a hash of all the possible rights at the system scope
=cut
sub SystemRights {
return (%SYSTEMRIGHTS);
}
# }}}
# {{{ sub _Accessible
sub _Accessible {
my $self = shift;
my %Cols = (
PrincipalId => 'read/write',
PrincipalType => 'read/write',
RightName => 'read/write',
RightScope => 'read/write',
RightAppliesTo => 'read/write'
);
return($self->SUPER::_Accessible(@_, %Cols));
}
# }}}
# {{{ sub AppliesToObj
=head2 AppliesToObj
If the AppliesTo is a queue, returns the queue object. If it's
the system object, returns undef. If the user has no rights, returns undef.
=cut
sub AppliesToObj {
my $self = shift;
if ($self->RightScope eq 'Queue') {
my $appliesto_obj = new RT::Queue($self->CurrentUser);
$appliesto_obj->Load($self->RightAppliesTo);
return($appliesto_obj);
}
elsif ($self->RightScope eq 'System') {
return (undef);
}
else {
$RT::Logger->warning("$self -> AppliesToObj called for an object ".
"of an unknown scope:" . $self->RightScope);
return(undef);
}
}
# }}}
# {{{ sub PrincipalObj
=head2 PrincipalObj
If the AppliesTo is a group, returns the group object.
If the AppliesTo is a user, returns the user object.
Otherwise, it logs a warning and returns undef.
=cut
sub PrincipalObj {
my $self = shift;
my ($princ_obj);
if ($self->PrincipalType eq 'Group') {
use RT::Group;
$princ_obj = new RT::Group($self->CurrentUser);
}
elsif ($self->PrincipalType eq 'User') {
$princ_obj = new RT::User($self->CurrentUser);
}
else {
$RT::Logger->warning("$self -> PrincipalObj called for an object ".
"of an unknown principal type:" .
$self->PrincipalType ."\n");
return(undef);
}
$princ_obj->Load($self->PrincipalId);
return($princ_obj);
}
# }}}
# {{{ ACL related methods
# {{{ sub _Set
sub _Set {
my $self = shift;
return (0, "ACEs can only be created and deleted.");
}
# }}}
# {{{ sub _Value
sub _Value {
my $self = shift;
unless ($self->CurrentUserHasRight('ShowACL')) {
return (undef);
}
return ($self->__Value(@_));
}
# }}}
# {{{ sub CurrentUserHasQueueRight
=head2 CurrentUserHasQueueRight ( Queue => QUEUEID, Right => RIGHTNANAME )
Check to see whether the current user has the specified right for the specified queue.
=cut
sub CurrentUserHasQueueRight {
my $self = shift;
my %args = (Queue => undef,
Right => undef,
@_
);
return ($self->HasRight( Right => $args{'Right'},
Principal => $self->CurrentUser->UserObj,
Queue => $args{'Queue'}));
}
# }}}
# {{{ sub CurrentUserHasSystemRight
=head2 CurrentUserHasSystemRight RIGHTNAME
Check to see whether the current user has the specified right for the 'system' scope.
=cut
sub CurrentUserHasSystemRight {
my $self = shift;
my $right = shift;
return ($self->HasRight( Right => $right,
Principal => $self->CurrentUser->UserObj,
System => 1
));
}
# }}}
# {{{ sub CurrentUserHasRight
=item CurrentUserHasRight RIGHT
Takes a rightname as a string.
Helper menthod for HasRight. Presets Principal to CurrentUser then
calls HasRight.
=cut
sub CurrentUserHasRight {
my $self = shift;
my $right = shift;
return ($self->HasRight( Principal => $self->CurrentUser->UserObj,
Right => $right,
));
}
# }}}
# {{{ sub HasRight
=item HasRight
Takes a param-hash consisting of "Right" and "Principal" Principal is
an RT::User object or an RT::CurrentUser object. "Right" is a textual
Right string that applies to KeywordSelects
=cut
sub HasRight {
my $self = shift;
my %args = ( Right => undef,
Principal => undef,
Queue => undef,
System => undef,
@_ );
#If we're explicitly specifying a queue, as we need to do on create
if (defined $args{'Queue'}) {
return ($args{'Principal'}->HasQueueRight(Right => $args{'Right'},
Queue => $args{'Queue'}));
}
#else if we're specifying to check a system right
elsif ((defined $args{'System'}) and (defined $args{'Right'})) {
return( $args{'Principal'}->HasSystemRight( $args{'Right'} ));
}
elsif ($self->__Value('RightScope') eq 'System') {
return $args{'Principal'}->HasSystemRight($args{'Right'});
}
elsif ($self->__Value('RightScope') eq 'Queue') {
return $args{'Principal'}->HasQueueRight( Queue => $self->__Value('RightAppliesTo'),
Right => $args{'Right'} );
}
else {
$RT::Logger->warning("$self: Trying to check an acl for a scope we ".
"don't understand:" . $self->__Value('RightScope') ."\n");
return undef;
}
}
# }}}
# }}}
1;
__DATA__
# {{{ POD
=head1 Out of date docs
=head2 Table Structure
PrincipalType, PrincipalId, Right,Scope,AppliesTo
=head1 The docs are out of date. so you know.
=head1 Scopes
Scope is the scope of the right granted, not the granularity of the grant.
For example, Queue and Ticket rights are both granted for a "queue."
Rights with a scope of 'System' don't have an AppliesTo. (They're global).
Rights with a scope of "Queue" are rights that act on a queue.
Rights with a scope of "System" are rights that act on some other aspect
of the system.
=item Queue
=item System
=head1 Rights
=head2 Scope: Queue
=head2 Queue rights that apply to a ticket within a queue
Create Ticket in <queue>
Name: Create
Principals: <user> <group>
Display Ticket Summary in <queue>
Name: Show
Principals: <user> <group> Owner Requestor Cc AdminCc
Display Ticket History <queue>
Name: ShowHistory
Principals: <user> <group> Owner Requestor Cc AdminCc
Display Ticket Private Comments <queue>
Name: ShowComments
Principals: <user> <group> Owner Requestor Cc AdminCc
Reply to Ticket in <queue>
Name: Reply
Principals: <user> <group> Owner Requestor Cc AdminCc
Comment on Ticket in <queue>
Name: Comment
Principals: <user> <group> Owner Requestor Cc AdminCc
Modify Ticket in <queue>
Name: Modify
Principals: <user> <group> Owner Requestor Cc AdminCc
Delete Tickets in <queue>
Name: Delete
Principals: <user> <group> Owner Requestor Cc AdminCc
=head2 Queue Rights that apply to a whole queue
These rights can only be granted to "real people"
List Tickets in <queue>
Name: ListQueue
Principals: <user> <group>
Know that <queue> exists
Name: See
Principals: <user> <group>
Display queue settings
Name: Explore
Principals: <user> <group>
Modify Queue Watchers for <queue>
Name: ModifyQueueWatchers
Principals: <user> <group>
Modify Queue Attributes for <queue>
Name: ModifyQueue
Principals: <user> <group>
Modify Queue ACL for queue <queue>
Name: ModifyACL
Principals: <user> <group>
=head2 Rights that apply to the System scope
=head2 SystemRights
Create Queue
Name: CreateQueue
Principals: <user> <group>
Delete Queue
Name: DeleteQueue
Principals: <user> <group>
Create Users
Name: CreateUser
Principals: <user> <group>
Delete Users
Name: DeleteUser
Principals: <user> <group>
Modify Users
Name: ModifyUser
Principals: <user> <group>
Modify Self
Name: ModifySelf
Principals: <user> <group>
Browse Users
Name: BrowseUsers (NOT IMPLEMENTED in 2.0)
Principals: <user> <group>
Modify Self
Name: ModifySelf
Principals: <user> <group>
Modify System ACL
Name: ModifyACL
Principals: <user> <group>
=head1 The Principal Side of the ACE
=head2 PrincipalTypes,PrincipalIds in our Neighborhood
User,<userid>
Group,<groupip>
Everyone,NULL
=cut
# }}}