+ my %args = (
+ PrincipalId => undef,
+ PrincipalType => undef,
+ RightName => undef,
+ Object => undef,
+ @_
+ );
+
+ unless ( $args{'RightName'} ) {
+ return ( 0, $self->loc('No right specified') );
+ }
+
+ #if we haven't specified any sort of right, we're talking about a global right
+ if (!defined $args{'Object'} && !defined $args{'ObjectId'} && !defined $args{'ObjectType'}) {
+ $args{'Object'} = $RT::System;
+ }
+ ($args{'Object'}, $args{'ObjectType'}, $args{'ObjectId'}) = $self->_ParseObjectArg( %args );
+ unless( $args{'Object'} ) {
+ return ( 0, $self->loc("System error. Right not granted.") );
+ }
+
+ # Validate the principal
+ my $princ_obj;
+ ( $princ_obj, $args{'PrincipalType'} ) =
+ $self->_CanonicalizePrincipal( $args{'PrincipalId'},
+ $args{'PrincipalType'} );
+
+ unless ( $princ_obj->id ) {
+ return ( 0,
+ $self->loc( 'Principal [_1] not found.', $args{'PrincipalId'} )
+ );
+ }
+
+ # }}}
+
+ # Check the ACL
+
+ if (ref( $args{'Object'}) eq 'RT::Group' ) {
+ unless ( $self->CurrentUser->HasRight( Object => $args{'Object'},
+ Right => 'AdminGroup' )
+ ) {
+ return ( 0, $self->loc('Permission Denied') );
+ }
+ }
+
+ else {
+ unless ( $self->CurrentUser->HasRight( Object => $args{'Object'}, Right => 'ModifyACL' )) {
+ return ( 0, $self->loc('Permission Denied') );
+ }
+ }
+ # }}}
+
+ # Canonicalize and check the right name
+ my $canonic_name = $self->CanonicalizeRightName( $args{'RightName'} );
+ unless ( $canonic_name ) {
+ return ( 0, $self->loc("Invalid right. Couldn't canonicalize right '[_1]'", $args{'RightName'}) );
+ }
+ $args{'RightName'} = $canonic_name;
+
+ #check if it's a valid RightName
+ if ( $args{'Object'}->can('AvailableRights') ) {
+ my $available = $args{'Object'}->AvailableRights($princ_obj);
+ unless ( grep $_ eq $args{'RightName'}, map $self->CanonicalizeRightName( $_ ), keys %$available ) {
+ $RT::Logger->warning(
+ "Couldn't validate right name '$args{'RightName'}'"
+ ." for object of ". ref( $args{'Object'} ) ." class"
+ );
+ return ( 0, $self->loc('Invalid right') );
+ }
+ }
+ # }}}
+
+ # Make sure the right doesn't already exist.
+ $self->LoadByCols( PrincipalId => $princ_obj->id,
+ PrincipalType => $args{'PrincipalType'},
+ RightName => $args{'RightName'},
+ ObjectType => $args{'ObjectType'},
+ ObjectId => $args{'ObjectId'},
+ );
+ if ( $self->Id ) {
+ return ( 0, $self->loc('[_1] already has that right',
+ $princ_obj->Object->Name) );
+ }
+
+ my $id = $self->SUPER::Create( PrincipalId => $princ_obj->id,
+ PrincipalType => $args{'PrincipalType'},
+ RightName => $args{'RightName'},
+ ObjectType => ref( $args{'Object'} ),
+ ObjectId => $args{'Object'}->id,
+ );
+
+ if ( $id ) {
+ RT::ACE->InvalidateCaches(
+ Action => "Grant",
+ RightName => $self->RightName,
+ ACE => $self,
+ );
+ return ( $id, $self->loc('Right Granted') );
+ }
+ else {
+ return ( 0, $self->loc('System error. Right not granted.') );
+ }
+}
+
+
+
+=head2 Delete { InsideTransaction => undef}
+
+Delete this object. This method should ONLY ever be called from RT::User or RT::Group (or from itself)
+If this is being called from within a transaction, specify a true value for the parameter InsideTransaction.
+Really, DBIx::SearchBuilder should use and/or fake subtransactions
+
+This routine will also recurse and delete any delegations of this right
+
+=cut
+
+sub Delete {
+ my $self = shift;
+
+ unless ( $self->Id ) {
+ return ( 0, $self->loc('Right not loaded.') );
+ }
+
+ # A user can delete an ACE if the current user has the right to modify it and it's not a delegated ACE
+ # or if it's a delegated ACE and it was delegated by the current user
+ unless ($self->CurrentUser->HasRight(Right => 'ModifyACL', Object => $self->Object)) {
+ return ( 0, $self->loc('Permission Denied') );
+ }
+ $self->_Delete(@_);
+}
+
+# Helper for Delete with no ACL check
+sub _Delete {
+ my $self = shift;
+ my %args = ( InsideTransaction => undef,
+ @_ );
+
+ my $InsideTransaction = $args{'InsideTransaction'};
+
+ $RT::Handle->BeginTransaction() unless $InsideTransaction;
+
+ my $right = $self->RightName;
+
+ my ( $val, $msg ) = $self->SUPER::Delete(@_);
+
+ if ($val) {
+ RT::ACE->InvalidateCaches( Action => "Revoke", RightName => $right );
+ $RT::Handle->Commit() unless $InsideTransaction;
+ return ( $val, $self->loc('Right revoked') );
+ }
+
+ $RT::Handle->Rollback() unless $InsideTransaction;
+ return ( 0, $self->loc('Right could not be revoked') );
+}
+
+
+
+=head2 _BootstrapCreate
+
+Grant a right with no error checking and no ACL. this is _only_ for
+installation. If you use this routine without the author's explicit
+written approval, he will hunt you down and make you spend eternity
+translating mozilla's code into FORTRAN or intercal.
+
+If you think you need this routine, you've mistaken.
+
+=cut
+
+sub _BootstrapCreate {
+ my $self = shift;
+ my %args = (@_);
+
+ # When bootstrapping, make sure we get the _right_ users
+ if ( $args{'UserId'} ) {
+ my $user = RT::User->new( $self->CurrentUser );
+ $user->Load( $args{'UserId'} );
+ delete $args{'UserId'};
+ $args{'PrincipalId'} = $user->PrincipalId;
+ $args{'PrincipalType'} = 'User';
+ }
+
+ my $id = $self->SUPER::Create(%args);
+
+ if ( $id > 0 ) {
+ return ($id);
+ }
+ else {
+ $RT::Logger->err('System error. right not granted.');
+ return (undef);
+ }
+
+}
+
+=head2 InvalidateCaches
+
+Calls any registered ACL cache handlers (see L</RegisterCacheHandler>).
+
+Usually called from L</Create> and L</Delete>.
+
+=cut
+
+sub InvalidateCaches {
+ my $class = shift;
+
+ for my $handler (@_ACL_CACHE_HANDLERS) {
+ next unless ref($handler) eq "CODE";
+ $handler->(@_);
+ }
+}
+
+=head2 RegisterCacheHandler
+
+Class method. Takes a coderef and adds it to the ACL cache handlers. These
+handlers are called by L</InvalidateCaches>, usually called itself from
+L</Create> and L</Delete>.
+
+The handlers are passed a hash which may contain any (or none) of these
+optional keys:
+
+=over
+
+=item Action
+
+A string indicating the action that (may have) invalidated the cache. Expected
+values are currently:
+
+=over
+
+=item Grant
+
+=item Revoke
+
+=back
+
+However, other values may be passed in the future.
+
+=item RightName
+
+The (canonicalized) right being granted or revoked.
+
+=item ACE
+
+The L<RT::ACE> object just created.
+
+=back
+
+Your handler should be flexible enough to account for additional arguments
+being passed in the future.
+
+=cut
+
+sub RegisterCacheHandler {
+ push @_ACL_CACHE_HANDLERS, $_[1];
+}
+
+sub RightName {
+ my $self = shift;
+ my $val = $self->_Value('RightName');
+ return $val unless $val;
+
+ my $available = $self->Object->AvailableRights;
+ foreach my $right ( keys %$available ) {
+ return $right if $val eq $self->CanonicalizeRightName($right);
+ }
+
+ $RT::Logger->error("Invalid right. Couldn't canonicalize right '$val'");
+ return $val;
+}
+
+=head2 CanonicalizeRightName <RIGHT>
+
+Takes a queue or system right name in any case and returns it in
+the correct case. If it's not found, will return undef.
+
+=cut
+
+sub CanonicalizeRightName {
+ my $self = shift;
+ my $name = shift;
+ for my $class (sort keys %RIGHTS) {
+ return $RIGHTS{$class}{ lc $name }{Name}
+ if $RIGHTS{$class}{ lc $name };
+ }
+ return undef;
+}
+
+
+
+=head2 Object
+
+If the object this ACE applies to is a queue, returns the queue object.
+If the object this ACE applies to is a group, returns the group object.
+If it's the system object, returns undef.
+
+If the user has no rights, returns undef.
+
+=cut
+
+
+
+
+sub Object {
+ my $self = shift;