1 # BEGIN BPS TAGGED BLOCK {{{
5 # This software is Copyright (c) 1996-2005 Best Practical Solutions, LLC
6 # <jesse@bestpractical.com>
8 # (Except where explicitly superseded by other copyright notices)
13 # This work is made available to you under the terms of Version 2 of
14 # the GNU General Public License. A copy of that license should have
15 # been provided with this software, but in any event can be snarfed
18 # This work is distributed in the hope that it will be useful, but
19 # WITHOUT ANY WARRANTY; without even the implied warranty of
20 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
21 # General Public License for more details.
23 # You should have received a copy of the GNU General Public License
24 # along with this program; if not, write to the Free Software
25 # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 # CONTRIBUTION SUBMISSION POLICY:
30 # (The following paragraph is not intended to limit the rights granted
31 # to you to modify and distribute this software under the terms of
32 # the GNU General Public License and is only of importance to you if
33 # you choose to contribute your changes and enhancements to the
34 # community by submitting them to Best Practical Solutions, LLC.)
36 # By intentionally submitting any modifications, corrections or
37 # derivatives to this work, or any other work intended for use with
38 # Request Tracker, to Best Practical Solutions, LLC, you confirm that
39 # you are the copyright holder for those contributions and you grant
40 # Best Practical Solutions, LLC a nonexclusive, worldwide, irrevocable,
41 # royalty-free, perpetual, license to use, copy, create derivative
42 # works based on those contributions, and sublicense and distribute
43 # those contributions and any derivatives thereof.
45 # END BPS TAGGED BLOCK }}}
49 RT::Groups - a collection of RT::Group objects
54 my $groups = $RT::Groups->new($CurrentUser);
56 while (my $group = $groups->Next()) {
57 print $group->Id ." is a group id\n";
68 ok (require RT::Groups);
78 no warnings qw(redefine);
85 $self->{'table'} = "Groups";
86 $self->{'primary_key'} = "id";
88 $self->OrderBy( ALIAS => 'main',
93 return ( $self->SUPER::_Init(@_));
97 # {{{ LimiToSystemInternalGroups
99 =head2 LimitToSystemInternalGroups
101 Return only SystemInternal Groups, such as "privileged" "unprivileged" and "everyone"
106 sub LimitToSystemInternalGroups {
108 $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'SystemInternal');
109 # All system internal groups have the same instance. No reason to limit down further
110 #$self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => '0');
116 # {{{ LimiToUserDefinedGroups
118 =head2 LimitToUserDefined Groups
120 Return only UserDefined Groups
125 sub LimitToUserDefinedGroups {
127 $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'UserDefined');
128 # All user-defined groups have the same instance. No reason to limit down further
129 #$self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => '');
135 # {{{ LimiToPersonalGroups
137 =head2 LimitToPersonalGroupsFor PRINCIPAL_ID
139 Return only Personal Groups for the user whose principal id
145 sub LimitToPersonalGroupsFor {
149 $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'Personal');
150 $self->Limit( FIELD => 'Instance',
158 # {{{ LimitToRolesForQueue
160 =head2 LimitToRolesForQueue QUEUE_ID
162 Limits the set of groups found to role groups for queue QUEUE_ID
166 sub LimitToRolesForQueue {
169 $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'RT::Queue-Role');
170 $self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => $queue);
175 # {{{ LimitToRolesForTicket
177 =head2 LimitToRolesForTicket Ticket_ID
179 Limits the set of groups found to role groups for Ticket Ticket_ID
183 sub LimitToRolesForTicket {
186 $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'RT::Ticket-Role');
187 $self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => '$Ticket');
192 # {{{ LimitToRolesForSystem
194 =head2 LimitToRolesForSystem System_ID
196 Limits the set of groups found to role groups for System System_ID
200 sub LimitToRolesForSystem {
202 $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'RT::System-Role');
207 =head2 WithMember {PrincipalId => PRINCIPAL_ID, Recursively => undef}
209 Limits the set of groups returned to groups which have
210 Principal PRINCIPAL_ID as a member
214 my $u = RT::User->new($RT::SystemUser);
215 $u->Create(Name => 'Membertests');
216 my $g = RT::Group->new($RT::SystemUser);
217 my ($id, $msg) = $g->CreateUserDefinedGroup(Name => 'Membertests');
220 my ($aid, $amsg) =$g->AddMember($u->id);
222 ok($g->HasMember($u->PrincipalObj),"G has member u");
224 my $groups = RT::Groups->new($RT::SystemUser);
225 $groups->LimitToUserDefinedGroups();
226 $groups->WithMember(PrincipalId => $u->id);
227 ok ($groups->Count == 1,"found the 1 group - " . $groups->Count);
228 ok ($groups->First->Id == $g->Id, "it's the right one");
240 my %args = ( PrincipalId => undef,
241 Recursively => undef,
245 if ($args{'Recursively'}) {
246 $members = $self->NewAlias('CachedGroupMembers');
248 $members = $self->NewAlias('GroupMembers');
250 $self->Join(ALIAS1 => 'main', FIELD1 => 'id',
251 ALIAS2 => $members, FIELD2 => 'GroupId');
253 $self->Limit(ALIAS => $members, FIELD => 'MemberId', OPERATOR => '=', VALUE => $args{'PrincipalId'});
257 =head2 WithRight { Right => RIGHTNAME, Object => RT::Record, IncludeSystemRights => 1, IncludeSuperusers => 0, EquivObjects => [ ] }
260 Find all groups which have RIGHTNAME for RT::Record. Optionally include global rights and superusers. By default, include the global rights, but not the superusers.
264 my $q = RT::Queue->new($RT::SystemUser);
265 my ($id, $msg) =$q->Create( Name => 'GlobalACLTest');
268 my $testuser = RT::User->new($RT::SystemUser);
269 ($id,$msg) = $testuser->Create(Name => 'JustAnAdminCc');
272 my $global_admin_cc = RT::Group->new($RT::SystemUser);
273 $global_admin_cc->LoadSystemRoleGroup('AdminCc');
274 ok($global_admin_cc->id, "Found the global admincc group");
275 my $groups = RT::Groups->new($RT::SystemUser);
276 $groups->WithRight(Right => 'OwnTicket', Object => $q);
277 is($groups->Count, 1);
278 ($id, $msg) = $global_admin_cc->PrincipalObj->GrantRight(Right =>'OwnTicket', Object=> $RT::System);
280 ok (!$testuser->HasRight(Object => $q, Right => 'OwnTicket') , "The test user does not have the right to own tickets in the test queue");
281 ($id, $msg) = $q->AddWatcher(Type => 'AdminCc', PrincipalId => $testuser->id);
283 ok ($testuser->HasRight(Object => $q, Right => 'OwnTicket') , "The test user does have the right to own tickets now. thank god.");
285 $groups = RT::Groups->new($RT::SystemUser);
286 $groups->WithRight(Right => 'OwnTicket', Object => $q);
288 is($groups->Count, 2);
290 my $RTxGroup = RT::Group->new($RT::SystemUser);
291 ($id, $msg) = $RTxGroup->CreateUserDefinedGroup( Name => 'RTxGroup', Description => "RTx extension group");
295 bless $RTxSysObj, 'RTx::System';
296 *RTx::System::Id = sub { 1; };
297 *RTx::System::id = *RTx::System::Id;
298 my $ace = RT::Record->new($RT::SystemUser);
300 $ace->_BuildTableAttributes unless ($_TABLE_ATTR->{ref($self)});
301 ($id, $msg) = $ace->Create( PrincipalId => $RTxGroup->id, PrincipalType => 'Group', RightName => 'RTxGroupRight', ObjectType => 'RTx::System', ObjectId => 1);
302 ok ($id, "ACL for RTxSysObj created");
305 bless $RTxObj, 'RTx::System::Record';
306 *RTx::System::Record::Id = sub { 4; };
307 *RTx::System::Record::id = *RTx::System::Record::Id;
309 $groups = RT::Groups->new($RT::SystemUser);
310 $groups->WithRight(Right => 'RTxGroupRight', Object => $RTxSysObj);
311 is($groups->Count, 1, "RTxGroupRight found for RTxSysObj");
313 $groups = RT::Groups->new($RT::SystemUser);
314 $groups->WithRight(Right => 'RTxGroupRight', Object => $RTxObj);
315 is($groups->Count, 0, "RTxGroupRight not found for RTxObj");
317 $groups = RT::Groups->new($RT::SystemUser);
318 $groups->WithRight(Right => 'RTxGroupRight', Object => $RTxObj, EquivObjects => [ $RTxSysObj ]);
319 is($groups->Count, 1, "RTxGroupRight found for RTxObj using EquivObjects");
321 $ace = RT::Record->new($RT::SystemUser);
323 $ace->_BuildTableAttributes unless ($_TABLE_ATTR->{ref($self)});
324 ($id, $msg) = $ace->Create( PrincipalId => $RTxGroup->id, PrincipalType => 'Group', RightName => 'RTxGroupRight', ObjectType => 'RTx::System::Record', ObjectId => 5 );
325 ok ($id, "ACL for RTxObj created");
328 bless $RTxObj2, 'RTx::System::Record';
329 *RTx::System::Record::Id = sub { 5; };
331 $groups = RT::Groups->new($RT::SystemUser);
332 $groups->WithRight(Right => 'RTxGroupRight', Object => $RTxObj2);
333 is($groups->Count, 1, "RTxGroupRight found for RTxObj2");
335 $groups = RT::Groups->new($RT::SystemUser);
336 $groups->WithRight(Right => 'RTxGroupRight', Object => $RTxObj2, EquivObjects => [ $RTxSysObj ]);
337 is($groups->Count, 1, "RTxGroupRight found for RTxObj2");
349 my %args = ( Right => undef,
351 IncludeSystemRights => 1,
352 IncludeSuperusers => undef,
356 my $acl = $self->NewAlias('ACL');
358 # {{{ Find only rows where the right granted is the one we're looking up or _possibly_ superuser
359 $self->Limit( ALIAS => $acl,
360 FIELD => 'RightName',
361 OPERATOR => ($args{Right} ? '=' : 'IS NOT'),
362 VALUE => $args{Right} || 'NULL',
363 ENTRYAGGREGATOR => 'OR' );
365 if ( $args{'IncludeSuperusers'} and $args{'Right'} ) {
366 $self->Limit( ALIAS => $acl,
367 FIELD => 'RightName',
369 VALUE => 'SuperUser',
370 ENTRYAGGREGATOR => 'OR' );
374 my ($or_check_ticket_roles, $or_check_roles);
375 my $which_object = "$acl.ObjectType = 'RT::System'";
377 if ( defined $args{'Object'} ) {
378 if ( ref($args{'Object'}) eq 'RT::Ticket' ) {
379 $or_check_ticket_roles =
380 " OR ( main.Domain = 'RT::Ticket-Role' AND main.Instance = " . $args{'Object'}->Id . ") ";
382 # If we're looking at ticket rights, we also want to look at the associated queue rights.
383 # this is a little bit hacky, but basically, now that we've done the ticket roles magic,
384 # we load the queue object and ask all the rest of our questions about the queue.
385 $args{'Object'} = $args{'Object'}->QueueObj;
387 # TODO XXX This really wants some refactoring
388 if ( ref($args{'Object'}) eq 'RT::Queue' ) {
390 " OR ( ( (main.Domain = 'RT::Queue-Role' AND main.Instance = " .
391 $args{'Object'}->Id . ") $or_check_ticket_roles ) " .
392 " AND main.Type = $acl.PrincipalType) ";
395 if ( $args{'IncludeSystemRights'} ) {
396 $which_object .= ' OR ';
401 foreach my $obj ( @{ $args{'EquivObjects'} } ) {
402 next unless ( UNIVERSAL::can( $obj, 'id' ) );
403 $which_object .= "($acl.ObjectType = '" . ref( $obj ) . "' AND $acl.ObjectId = " . $obj->id . ") OR ";
406 " ($acl.ObjectType = '" . ref($args{'Object'}) . "'" .
407 " AND $acl.ObjectId = " . $args{'Object'}->Id . ") ";
410 $self->_AddSubClause( "WhichObject", "($which_object)" );
412 $self->_AddSubClause( "WhichGroup",
414 ( ( $acl.PrincipalId = main.id
415 AND $acl.PrincipalType = 'Group'
416 AND ( main.Domain = 'SystemInternal'
417 OR main.Domain = 'UserDefined'
418 OR main.Domain = 'ACLEquivalence'))
424 # {{{ sub LimitToEnabled
426 =head2 LimitToEnabled
428 Only find items that haven\'t been disabled
435 my $alias = $self->Join(
439 TABLE2 => 'Principals',
443 $self->Limit( ALIAS => $alias,
450 # {{{ sub LimitToDisabled
452 =head2 LimitToDeleted
454 Only find items that have been deleted.
461 my $alias = $self->Join(
465 TABLE2 => 'Principals',
469 $self->{'find_disabled_rows'} = 1;
470 $self->Limit( ALIAS => $alias,
483 # Don't show groups which the user isn't allowed to see.
485 my $Group = $self->SUPER::Next();
486 if ((defined($Group)) and (ref($Group))) {
487 unless ($Group->CurrentUserHasRight('SeeGroup')) {
488 return $self->Next();
503 #unless we really want to find disabled rows, make sure we\'re only finding enabled ones.
504 unless($self->{'find_disabled_rows'}) {
505 $self->LimitToEnabled();
508 return($self->SUPER::_DoSearch(@_));