summaryrefslogtreecommitdiff
path: root/rt/docs/design_docs/acls
blob: bb093adcbba8a392a2254accc32247bc88e120e9 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50



Does principal baz have right foo for object bar

What rights does user baz have for object bar

# {{{ Which principals have right foo for object bar


if ($args{'ObjectType'} eq 'Ticket') {
     $or_check_ticket_roles = " OR ( Groups.Domain = 'TicketRole' AND Groups.Instance = '".$args{'ObjectId'}."') ";
     # If we're looking at ticket rights, we also want to look at the associated queue rights.
     # this is a little bit hacky, but basically, now that we've done the ticket roles magic, we load the queue object
     # and ask all the rest of our questions about the queue.
     my $tick = RT::Ticket->new($RT::SystemUser);
     $tick->Load($args{'ObjectId'});
     $args{'ObjectType'} = 'Queue';
     $args{'ObjectId'} = $tick->QueueObj->Id();

}
if ($args{'ObjectType'} eq 'Queue') {
     $or_check_roles = " OR ( ( (Groups.Domain = 'QueueRole' AND Groups.Instance = '".$args{'ObjectId'}."') $or_check_ticket_roles ) 
                            AND Groups.Type = ACL.PrincipalType AND Groups.Id = Principals.ObjectId AND Principals.PrincipalType = 'Group') ";
}

if (defined $args{'ObjectType'} ) {
     $or_look_at_object_rights = " OR (ACL.ObjectType = '".$args{'ObjectType'}."'  AND ACL.ObjectId = '".$args{'ObjectId'}."') ";

}

my $query = "SELECT Users.*  from ACL, Groups, Users, Principals, Principals UserPrinc, CachedGroupMembers  WHERE  
        Users.id = UserPrinc.ObjectId AND UserPrinc.PrincipalType = 'User' AND
        Principals.Id = CachedGroupMembers.GroupId AND 
        CachedGroupMembers.MemberId = UserPrinc.ObjectId AND 
        UserPrinc.PrincipalType = 'User'  AND
        (ACL.RightName = 'SuperUser' OR  ACL.RightName = '$right') AND
        (ACL.ObjectType = 'System' $or_look_at_object_rights) AND 
        (
                (ACL.PrincipalId = Principals.Id AND 
                 Principals.ObjectId = Groups.Id AND 
                 ACL.PrincipalType = 'Group' AND 
                 (Groups.Domain = 'SystemInternal' OR Groups.Domain = 'UserDefined' OR Groups.Domain = 'ACLEquivalence')
                ) 
           $or_check_roles
        )";

# }}}

What objects does principal baz have right foo for
;
generated by cgit v1.1 at 2024-05-24 17:02:34 +0000