+# XXX: should be generalized
+sub _JoinACL
+{
+ my $self = shift;
+ my %args = (
+ Right => undef,
+ IncludeSuperusers => undef,
+ @_,
+ );
+
+ if ( $args{'Right'} ) {
+ my $canonic = RT::ACE->CanonicalizeRightName( $args{'Right'} );
+ unless ( $canonic ) {
+ $RT::Logger->error("Invalid right. Couldn't canonicalize right '$args{'Right'}'");
+ }
+ else {
+ $args{'Right'} = $canonic;
+ }
+ }
+
+ my $acl = $self->NewAlias('ACL');
+ $self->Limit(
+ ALIAS => $acl,
+ FIELD => 'RightName',
+ OPERATOR => ( $args{Right} ? '=' : 'IS NOT' ),
+ VALUE => $args{Right} || 'NULL',
+ ENTRYAGGREGATOR => 'OR'
+ );
+ if ( $args{'IncludeSuperusers'} and $args{'Right'} ) {
+ $self->Limit(
+ ALIAS => $acl,
+ FIELD => 'RightName',
+ OPERATOR => '=',
+ VALUE => 'SuperUser',
+ ENTRYAGGREGATOR => 'OR'
+ );
+ }
+ return $acl;
+}
+
+# XXX: should be generalized
+sub _GetEquivObjects
+{
+ my $self = shift;
+ my %args = (
+ Object => undef,
+ IncludeSystemRights => undef,
+ EquivObjects => [ ],
+ @_
+ );
+ return () unless $args{'Object'};
+
+ my @objects = ($args{'Object'});
+ if ( UNIVERSAL::isa( $args{'Object'}, 'RT::Ticket' ) ) {
+ # If we're looking at ticket rights, we also want to look at the associated queue rights.
+ # this is a little bit hacky, but basically, now that we've done the ticket roles magic,
+ # we load the queue object and ask all the rest of our questions about the queue.
+
+ # XXX: This should be abstracted into object itself
+ if( $args{'Object'}->id ) {
+ push @objects, $args{'Object'}->ACLEquivalenceObjects;
+ } else {
+ push @objects, 'RT::Queue';
+ }
+ }
+
+ if( $args{'IncludeSystemRights'} ) {
+ push @objects, $RT::System;
+ }
+ push @objects, @{ $args{'EquivObjects'} };
+ return grep $_, @objects;
+}
+
+# XXX: should be generalized
+sub WhoHaveRight {
+ my $self = shift;
+ my %args = (
+ Right => undef,
+ Object => undef,
+ IncludeSystemRights => undef,
+ IncludeSuperusers => undef,
+ IncludeSubgroupMembers => 1,
+ EquivObjects => [ ],
+ @_
+ );
+
+ if ( defined $args{'ObjectType'} || defined $args{'ObjectId'} ) {
+ $RT::Logger->crit( "WhoHaveRight called with the Obsolete ObjectId/ObjectType API");
+ return (undef);
+ }
+
+ my $from_role = $self->Clone;
+ $from_role->WhoHaveRoleRight( %args );
+
+ my $from_group = $self->Clone;
+ $from_group->WhoHaveGroupRight( %args );
+
+ #XXX: DIRTY HACK
+ use DBIx::SearchBuilder 1.50; #no version on ::Union :(
+ use DBIx::SearchBuilder::Union;
+ my $union = DBIx::SearchBuilder::Union->new();
+ $union->add( $from_group );
+ $union->add( $from_role );
+ %$self = %$union;
+ bless $self, ref($union);
+
+ return;
+}
+
+# XXX: should be generalized
+sub WhoHaveRoleRight
+{
+ my $self = shift;
+ my %args = (
+ Right => undef,
+ Object => undef,
+ IncludeSystemRights => undef,
+ IncludeSuperusers => undef,
+ IncludeSubgroupMembers => 1,
+ EquivObjects => [ ],
+ @_
+ );
+
+ my @objects = $self->_GetEquivObjects( %args );
+
+ # RT::Principal->RolesWithRight only expects EquivObjects, so we need to
+ # fill it. At the very least it needs $args{Object}, which
+ # _GetEquivObjects above does for us.
+ unshift @{$args{'EquivObjects'}}, @objects;
+
+ my @roles = RT::Principal->RolesWithRight( %args );
+ unless ( @roles ) {
+ $self->_AddSubClause( "WhichRole", "(main.id = 0)" );
+ return;
+ }
+
+ my $groups = $self->_JoinGroups( %args );
+
+ # no system user
+ $self->Limit( ALIAS => $self->PrincipalsAlias,
+ FIELD => 'id',
+ OPERATOR => '!=',
+ VALUE => RT->SystemUser->id
+ );
+
+ $self->_AddSubClause( "WhichRole", "(". join( ' OR ',
+ map $RT::Handle->__MakeClauseCaseInsensitive("$groups.Name", '=', "'$_'"), @roles
+ ) .")" );
+
+ my @groups_clauses = $self->_RoleClauses( $groups, @objects );
+ $self->_AddSubClause( "WhichObject", "(". join( ' OR ', @groups_clauses ) .")" )
+ if @groups_clauses;
+
+ return;
+}
+
+sub _RoleClauses {
+ my $self = shift;
+ my $groups = shift;
+ my @objects = @_;
+
+ my @groups_clauses;
+ foreach my $obj ( @objects ) {
+ my $type = ref($obj)? ref($obj): $obj;
+
+ my $role_clause = $RT::Handle->__MakeClauseCaseInsensitive("$groups.Domain", '=', "'$type-Role'");