3 # Copyright (c) 1996-2003 Jesse Vincent <jesse@bestpractical.com>
5 # (Except where explictly superceded by other copyright notices)
7 # This work is made available to you under the terms of Version 2 of
8 # the GNU General Public License. A copy of that license should have
9 # been provided with this software, but in any event can be snarfed
12 # This work is distributed in the hope that it will be useful, but
13 # WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 # General Public License for more details.
17 # Unless otherwise specified, all modifications, corrections or
18 # extensions to this work which alter its source code become the
19 # property of Best Practical Solutions, LLC when submitted for
20 # inclusion in the work.
26 RT::Groups - a collection of RT::Group objects
31 my $groups = $RT::Groups->new($CurrentUser);
32 $groups->LimitToReal();
33 while (my $group = $groups->Next()) {
34 print $group->Id ." is a group id\n";
45 ok (require RT::Groups);
52 no warnings qw(redefine);
59 $self->{'table'} = "Groups";
60 $self->{'primary_key'} = "id";
62 $self->OrderBy( ALIAS => 'main',
67 return ( $self->SUPER::_Init(@_));
71 # {{{ LimiToSystemInternalGroups
73 =head2 LimitToSystemInternalGroups
75 Return only SystemInternal Groups, such as "privileged" "unprivileged" and "everyone"
80 sub LimitToSystemInternalGroups {
82 $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'SystemInternal');
83 # All system internal groups have the same instance. No reason to limit down further
84 #$self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => '0');
90 # {{{ LimiToUserDefinedGroups
92 =head2 LimitToUserDefined Groups
94 Return only UserDefined Groups
99 sub LimitToUserDefinedGroups {
101 $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'UserDefined');
102 # All user-defined groups have the same instance. No reason to limit down further
103 #$self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => '');
109 # {{{ LimiToPersonalGroups
111 =head2 LimitToPersonalGroupsFor PRINCIPAL_ID
113 Return only Personal Groups for the user whose principal id
119 sub LimitToPersonalGroupsFor {
123 $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'Personal');
124 $self->Limit( FIELD => 'Instance',
127 ENTRY_AGGREGATOR => 'OR');
133 # {{{ LimitToRolesForQueue
135 =item LimitToRolesForQueue QUEUE_ID
137 Limits the set of groups found to role groups for queue QUEUE_ID
141 sub LimitToRolesForQueue {
144 $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'RT::Queue-Role');
145 $self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => $queue);
150 # {{{ LimitToRolesForTicket
152 =item LimitToRolesForTicket Ticket_ID
154 Limits the set of groups found to role groups for Ticket Ticket_ID
158 sub LimitToRolesForTicket {
161 $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'RT::Ticket-Role');
162 $self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => '$Ticket');
167 # {{{ LimitToRolesForSystem
169 =item LimitToRolesForSystem System_ID
171 Limits the set of groups found to role groups for System System_ID
175 sub LimitToRolesForSystem {
177 $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'RT::System-Role');
182 =head2 WithMember {PrincipalId => PRINCIPAL_ID, Recursively => undef}
184 Limits the set of groups returned to groups which have
185 Principal PRINCIPAL_ID as a member
189 my $u = RT::User->new($RT::SystemUser);
190 $u->Create(Name => 'Membertests');
191 my $g = RT::Group->new($RT::SystemUser);
192 my ($id, $msg) = $g->CreateUserDefinedGroup(Name => 'Membertests');
195 my ($aid, $amsg) =$g->AddMember($u->id);
197 ok($g->HasMember($u->PrincipalObj),"G has member u");
199 my $groups = RT::Groups->new($RT::SystemUser);
200 $groups->LimitToUserDefinedGroups();
201 $groups->WithMember(PrincipalId => $u->id);
202 ok ($groups->Count == 1,"found the 1 group - " . $groups->Count);
203 ok ($groups->First->Id == $g->Id, "it's the right one");
215 my %args = ( PrincipalId => undef,
216 Recursively => undef,
220 if ($args{'Recursively'}) {
221 $members = $self->NewAlias('CachedGroupMembers');
223 $members = $self->NewAlias('GroupMembers');
225 $self->Join(ALIAS1 => 'main', FIELD1 => 'id',
226 ALIAS2 => $members, FIELD2 => 'GroupId');
228 $self->Limit(ALIAS => $members, FIELD => 'MemberId', OPERATOR => '=', VALUE => $args{'PrincipalId'});
232 =head2 WithRight { Right => RIGHTNAME, Object => RT::Record, IncludeSystemRights => 1, IncludeSuperusers => 0 }
235 Find all groups which have RIGHTNAME for RT::Record. Optionally include global rights and superusers. By default, include the global rights, but not the superusers.
239 my $q = RT::Queue->new($RT::SystemUser);
240 my ($id, $msg) =$q->Create( Name => 'GlobalACLTest');
243 my $testuser = RT::User->new($RT::SystemUser);
244 ($id,$msg) = $testuser->Create(Name => 'JustAnAdminCc');
247 my $global_admin_cc = RT::Group->new($RT::SystemUser);
248 $global_admin_cc->LoadSystemRoleGroup('AdminCc');
249 ok($global_admin_cc->id, "Found the global admincc group");
250 my $groups = RT::Groups->new($RT::SystemUser);
251 $groups->WithRight(Right => 'OwnTicket', Object => $q);
252 is($groups->Count, 1);
253 ($id, $msg) = $global_admin_cc->PrincipalObj->GrantRight(Right =>'OwnTicket', Object=> $RT::System);
255 ok (!$testuser->HasRight(Object => $q, Right => 'OwnTicket') , "The test user does not have the right to own tickets in the test queue");
256 ($id, $msg) = $q->AddWatcher(Type => 'AdminCc', PrincipalId => $testuser->id);
258 ok ($testuser->HasRight(Object => $q, Right => 'OwnTicket') , "The test user does have the right to own tickets now. thank god.");
260 $groups = RT::Groups->new($RT::SystemUser);
261 $groups->WithRight(Right => 'OwnTicket', Object => $q);
263 is($groups->Count, 2);
273 my %args = ( Right => undef,
275 IncludeSystemRights => 1,
276 IncludeSuperusers => undef,
279 my $acl = $self->NewAlias('ACL');
281 # {{{ Find only rows where the right granted is the one we're looking up or _possibly_ superuser
282 $self->Limit( ALIAS => $acl,
283 FIELD => 'RightName',
284 OPERATOR => ($args{Right} ? '=' : 'IS NOT'),
285 VALUE => $args{Right} || 'NULL',
286 ENTRYAGGREGATOR => 'OR' );
288 if ( $args{'IncludeSuperusers'} and $args{'Right'} ) {
289 $self->Limit( ALIAS => $acl,
290 FIELD => 'RightName',
292 VALUE => 'SuperUser',
293 ENTRYAGGREGATOR => 'OR' );
297 my ($or_check_ticket_roles, $or_check_roles);
298 my $which_object = "$acl.ObjectType = 'RT::System'";
300 if ( defined $args{'Object'} ) {
301 if ( ref($args{'Object'}) eq 'RT::Ticket' ) {
302 $or_check_ticket_roles =
303 " OR ( main.Domain = 'RT::Ticket-Role' AND main.Instance = " . $args{'Object'}->Id . ") ";
305 # If we're looking at ticket rights, we also want to look at the associated queue rights.
306 # this is a little bit hacky, but basically, now that we've done the ticket roles magic,
307 # we load the queue object and ask all the rest of our questions about the queue.
308 $args{'Object'} = $args{'Object'}->QueueObj;
310 # TODO XXX This really wants some refactoring
311 if ( ref($args{'Object'}) eq 'RT::Queue' ) {
313 " OR ( ( (main.Domain = 'RT::Queue-Role' AND main.Instance = " .
314 $args{'Object'}->Id . ") $or_check_ticket_roles ) " .
315 " AND main.Type = $acl.PrincipalType) ";
318 if ( $args{'IncludeSystemRights'} ) {
319 $which_object .= ' OR ';
325 " ($acl.ObjectType = '" . ref($args{'Object'}) . "'" .
326 " AND $acl.ObjectId = " . $args{'Object'}->Id . ") ";
329 $self->_AddSubClause( "WhichObject", "($which_object)" );
331 $self->_AddSubClause( "WhichGroup",
333 ( ( $acl.PrincipalId = main.id
334 AND $acl.PrincipalType = 'Group'
335 AND ( main.Domain = 'SystemInternal'
336 OR main.Domain = 'UserDefined'
337 OR main.Domain = 'ACLEquivalence'))
343 # {{{ sub LimitToEnabled
345 =head2 LimitToEnabled
347 Only find items that haven\'t been disabled
354 my $alias = $self->Join(
358 TABLE2 => 'Principals',
362 $self->Limit( ALIAS => $alias,
369 # {{{ sub LimitToDisabled
371 =head2 LimitToDeleted
373 Only find items that have been deleted.
380 my $alias = $self->Join(
384 TABLE2 => 'Principals',
388 $self->{'find_disabled_rows'} = 1;
389 $self->Limit( ALIAS => $alias,
400 #unless we really want to find disabled rows, make sure we\'re only finding enabled ones.
401 unless($self->{'find_disabled_rows'}) {
402 $self->LimitToEnabled();
405 return($self->SUPER::_DoSearch(@_));