1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
use strict;
use warnings;
use RT::Test nodata => 1, tests => 114;
RT::Group->AddRight( General =>
'RTxGroupRight' => 'Just a right for testing rights',
);
# this company is split into two halves, the hackers and the non-hackers
# herbert is a hacker but eric is not.
my $herbert = RT::User->new(RT->SystemUser);
my ($ok, $msg) = $herbert->Create(Name => 'herbert');
ok($ok, $msg);
my $eric = RT::User->new(RT->SystemUser);
($ok, $msg) = $eric->Create(Name => 'eric');
ok($ok, $msg);
my $hackers = RT::Group->new(RT->SystemUser);
($ok, $msg) = $hackers->CreateUserDefinedGroup(Name => 'Hackers');
ok($ok, $msg);
my $employees = RT::Group->new(RT->SystemUser);
($ok, $msg) = $employees->CreateUserDefinedGroup(Name => 'Employees');
ok($ok, $msg);
($ok, $msg) = $employees->AddMember($hackers->PrincipalId);
ok($ok, $msg);
($ok, $msg) = $hackers->AddMember($herbert->PrincipalId);
ok($ok, $msg);
($ok, $msg) = $employees->AddMember($eric->PrincipalId);
ok($ok, $msg);
ok($employees->HasMemberRecursively($hackers->PrincipalId), 'employees has member hackers');
ok($employees->HasMemberRecursively($herbert->PrincipalId), 'employees has member herbert');
ok($employees->HasMemberRecursively($eric->PrincipalId), 'employees has member eric');
ok($hackers->HasMemberRecursively($herbert->PrincipalId), 'hackers has member herbert');
ok(!$hackers->HasMemberRecursively($eric->PrincipalId), 'hackers does not have member eric');
# There's also a separate group, "Other", which both are a member of.
my $other = RT::Group->new(RT->SystemUser);
($ok, $msg) = $other->CreateUserDefinedGroup(Name => 'Other');
ok($ok, $msg);
($ok, $msg) = $other->AddMember($eric->PrincipalId);
ok($ok, $msg);
($ok, $msg) = $other->AddMember($herbert->PrincipalId);
ok($ok, $msg);
# Everyone can SeeGroup on all three groups
my $everyone = RT::Group->new( RT->SystemUser );
($ok, $msg) = $everyone->LoadSystemInternalGroup( 'Everyone' );
ok($ok, $msg);
$everyone->PrincipalObj->GrantRight(Right => 'SeeGroup', Object => $employees);
$everyone->PrincipalObj->GrantRight(Right => 'SeeGroup', Object => $hackers);
$everyone->PrincipalObj->GrantRight(Right => 'SeeGroup', Object => $other);
sub CheckRights {
my $cu = shift;
my %groups = (Employees => 0, Hackers => 0, Other => 0, @_);
my $name = $cu->Name;
my $groups = RT::Groups->new(RT::CurrentUser->new($cu));
$groups->LimitToUserDefinedGroups;
$groups->ForWhichCurrentUserHasRight(Right => 'RTxGroupRight');
my %has_right = map { ($_->Name => 1) } @{ $groups->ItemsArrayRef };
local $Test::Builder::Level = $Test::Builder::Level + 1;
for my $groupname (sort keys %groups) {
my $g = RT::Group->new(RT::CurrentUser->new($cu));
$g->LoadUserDefinedGroup($groupname);
if ($groups{$groupname}) {
ok( $g->CurrentUserHasRight("RTxGroupRight"), "$name has right on $groupname (direct query)" );
ok( delete $has_right{$groupname}, "..and also in ForWhichCurrentUserHasRight");
} else {
ok( !$g->CurrentUserHasRight("RTxGroupRight"), "$name doesn't have right on $groupname (direct query)" );
ok( !delete $has_right{$groupname}, "..and also not in ForWhichCurrentUserHasRight");
}
}
ok(not(keys %has_right), "ForWhichCurrentUserHasRight has no extra groups");
}
# Neither should have it on any group yet
CheckRights($eric);
CheckRights($herbert);
# Grant it to employees, on employees. Both Herbert and Eric will have
# it on employees, though Herbert gets it by way of hackers. Neither
# will have it on hackers, because the target does not recurse.
$employees->PrincipalObj->GrantRight( Right => 'RTxGroupRight', Object => $employees);
CheckRights($eric, Employees => 1);
CheckRights($herbert, Employees => 1);
# Grant it to employees, on hackers. This means both Eric and Herbert
# will have the right on hackers, but not on employees.
$employees->PrincipalObj->RevokeRight(Right => 'RTxGroupRight', Object => $employees);
$employees->PrincipalObj->GrantRight( Right => 'RTxGroupRight', Object => $hackers);
CheckRights($eric, Hackers => 1);
CheckRights($herbert, Hackers => 1);
# Grant it to hackers, on employees. Eric will have it nowhere, and
# Herbert will have it on employees. Note that the target of the right
# itself does _not_ recurse down, so Herbert will not have it on
# hackers.
$employees->PrincipalObj->RevokeRight(Right => 'RTxGroupRight', Object => $hackers);
$hackers->PrincipalObj->GrantRight( Right => 'RTxGroupRight', Object => $employees);
CheckRights($eric);
CheckRights($herbert, Employees => 1);
# Grant it globally to hackers; herbert will see the right on all
# employees, hackers, and other.
$hackers->PrincipalObj->RevokeRight( Right => 'RTxGroupRight', Object => $employees);
$hackers->PrincipalObj->GrantRight( Right => 'RTxGroupRight', Object => RT->System);
CheckRights($eric);
CheckRights($herbert, Employees => 1, Hackers => 1, Other => 1 );
# Grant it globally to employees; both eric and herbert will see the
# right on all employees, hackers, and other.
$hackers->PrincipalObj->RevokeRight( Right => 'RTxGroupRight', Object => RT->System);
$employees->PrincipalObj->GrantRight( Right => 'RTxGroupRight', Object => RT->System);
CheckRights($eric, Employees => 1, Hackers => 1, Other => 1 );
CheckRights($herbert, Employees => 1, Hackers => 1, Other => 1 );
# Disable the employees group. Neither eric nor herbert will see the
# right anywhere.
$employees->SetDisabled(1);
CheckRights($eric);
CheckRights($herbert);
|
