- # Make sure the rights apply to the entire system or to the object in question
- "AND ( " . join( ' OR ', @look_at_objects ) . ") ";
-
-# The groups query does the query based on group membership and individual user rights
-
- my $groups_query = $query_base .
-
-# limit the result set to groups of types ACLEquivalence (user) UserDefined, SystemInternal and Personal
-"AND ( ( ACL.PrincipalId = Principals.id AND ACL.PrincipalType = 'Group' AND "
- . "(Groups.Domain = 'SystemInternal' OR Groups.Domain = 'UserDefined' OR Groups.Domain = 'ACLEquivalence' OR Groups.Domain = 'Personal'))"
- .
-
- " ) ";
- $self->_Handle->ApplyLimits( \$groups_query, 1 ); #only return one result
-
- my @roles;
- foreach my $object ( @{ $args{'EquivObjects'} } ) {
- push( @roles, $self->_RolesForObject( ref($object), $object->id ) );
- }
-
- # The roles query does the query based on roles
- my $roles_query;
- if (@roles) {
- $roles_query =
- $query_base . "AND " . " ( ("
- . join( ' OR ', @roles ) . " ) "
- . " AND Groups.Type = ACL.PrincipalType AND Groups.Id = Principals.id AND Principals.PrincipalType = 'Group') ";
- $self->_Handle->ApplyLimits( \$roles_query, 1 ); #only return one result
-
- }
-
- # }}}
-
- # {{{ Actually check the ACL by performing an SQL query
- # $RT::Logger->debug("Now Trying $groups_query");
+ # We always grant rights to Groups
+ . "AND Principals.id = Groups.id "
+ . "AND Principals.PrincipalType = 'Group' "
+
+ # See if the principal is a member of the group recursively or _is the rightholder_
+ # never find recursively disabled group members
+ # also, check to see if the right is being granted _directly_ to this principal,
+ # as is the case when we want to look up group rights
+ . "AND Principals.id = CachedGroupMembers.GroupId "
+ . "AND CachedGroupMembers.MemberId = ". $self->Id ." "
+
+ # Make sure the rights apply to the entire system or to the object in question
+ . "AND ($check_objects) ";
+
+ # The groups query does the query based on group membership and individual user rights
+ my $groups_query = $query_base
+ # limit the result set to groups of types ACLEquivalence (user),
+ # UserDefined, SystemInternal and Personal. All this we do
+ # via (ACL.PrincipalType = 'Group') condition
+ . "AND ACL.PrincipalId = Principals.id "
+ . "AND ACL.PrincipalType = 'Group' ";
+
+ $self->_Handle->ApplyLimits( \$groups_query, 1 ); #only return one result