- my %args = ( PrincipalId => undef,
- PrincipalType => undef,
- RightName => undef,
- RightScope => undef,
- RightAppliesTo => undef,
- @_
- );
-
- # {{{ Validate the principal
- my ($princ_obj);
- if ($args{'PrincipalType'} eq 'User') {
- $princ_obj = new RT::User($RT::SystemUser);
-
- }
- elsif ($args{'PrincipalType'} eq 'Group') {
- require RT::Group;
- $princ_obj = new RT::Group($RT::SystemUser);
- }
- else {
- return (0, 'Principal type '.$args{'PrincipalType'} . ' is invalid.');
- }
-
- $princ_obj->Load($args{'PrincipalId'});
- my $princ_id = $princ_obj->Id();
-
- unless ($princ_id) {
- return (0, 'Principal '.$args{'PrincipalId'}.' not found.');
- }
-
- # }}}
-
- #TODO allow loading of queues by name.
-
- # {{{ Check the ACL
- if ($args{'RightScope'} eq 'System') {
-
- unless ($self->CurrentUserHasSystemRight('ModifyACL')) {
- $RT::Logger->error("Permission Denied.");
- return(undef);
- }
- }
-
- elsif ($args{'RightScope'} eq 'Queue') {
- unless ($self->CurrentUserHasQueueRight( Queue => $args{'RightAppliesTo'},
- Right => 'ModifyACL')) {
- return (0, 'Permission Denied.');
- }
-
-
-
-
- }
- #If it's not a scope we recognise, something scary is happening.
- else {
- $RT::Logger->err("RT::ACE->Create got a scope it didn't recognize: ".
- $args{'RightScope'}." Bailing. \n");
- return(0,"System error. Unable to grant rights.");
- }
-
- # }}}
-
- # {{{ Canonicalize and check the right name
- $args{'RightName'} = $self->CanonicalizeRightName($args{'RightName'});
-
- #check if it's a valid RightName
- if ($args{'RightScope'} eq 'Queue') {
- unless (exists $QUEUERIGHTS{$args{'RightName'}}) {
- return(0, 'Invalid right');
- }
- }
- elsif ($args{'RightScope' eq 'System'}) {
- unless (exists $SYSTEMRIGHTS{$args{'RightName'}}) {
- return(0, 'Invalid right');
- }
- }
- # }}}
-
- # Make sure the right doesn't already exist.
- $self->LoadByCols (PrincipalId => $princ_id,
- PrincipalType => $args{'PrincipalType'},
- RightName => $args{'RightName'},
- RightScope => $args {'RightScope'},
- RightAppliesTo => $args{'RightAppliesTo'}
- );
- if ($self->Id) {
- return (0, 'That user already has that right');
- }
-
- my $id = $self->SUPER::Create( PrincipalId => $princ_id,
- PrincipalType => $args{'PrincipalType'},
- RightName => $args{'RightName'},
- RightScope => $args {'RightScope'},
- RightAppliesTo => $args{'RightAppliesTo'}
- );
-
-
- if ($id > 0 ) {
- return ($id, 'Right Granted');
- }
- else {
- $RT::Logger->err('System error. right not granted.');
- return(0, 'System Error. right not granted');
- }
-}
-
-# }}}
-