-# $Header: /home/cvs/cvsroot/freeside/rt/lib/RT/ACL.pm,v 1.1 2002-08-12 06:17:07 ivan Exp $
-# Distributed under the terms of the GNU GPL
-# Copyright (c) 2000 Jesse Vincent <jesse@fsck.com>
+# BEGIN BPS TAGGED BLOCK {{{
+#
+# COPYRIGHT:
+#
+# This software is Copyright (c) 1996-2015 Best Practical Solutions, LLC
+# <sales@bestpractical.com>
+#
+# (Except where explicitly superseded by other copyright notices)
+#
+#
+# LICENSE:
+#
+# This work is made available to you under the terms of Version 2 of
+# the GNU General Public License. A copy of that license should have
+# been provided with this software, but in any event can be snarfed
+# from www.gnu.org.
+#
+# This work is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301 or visit their web page on the internet at
+# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
+#
+#
+# CONTRIBUTION SUBMISSION POLICY:
+#
+# (The following paragraph is not intended to limit the rights granted
+# to you to modify and distribute this software under the terms of
+# the GNU General Public License and is only of importance to you if
+# you choose to contribute your changes and enhancements to the
+# community by submitting them to Best Practical Solutions, LLC.)
+#
+# By intentionally submitting any modifications, corrections or
+# derivatives to this work, or any other work intended for use with
+# Request Tracker, to Best Practical Solutions, LLC, you confirm that
+# you are the copyright holder for those contributions and you grant
+# Best Practical Solutions, LLC a nonexclusive, worldwide, irrevocable,
+# royalty-free, perpetual, license to use, copy, create derivative
+# works based on those contributions, and sublicense and distribute
+# those contributions and any derivatives thereof.
+#
+# END BPS TAGGED BLOCK }}}
=head1 NAME
=head1 SYNOPSIS
use RT::ACL;
-my $ACL = new RT::ACL($CurrentUser);
+my $ACL = RT::ACL->new($CurrentUser);
=head1 DESCRIPTION
=head1 METHODS
-=begin testing
-
-ok(require RT::TestHarness);
-ok(require RT::ACL);
-
-=end testing
=cut
+
package RT::ACL;
-use RT::EasySearch;
use RT::ACE;
-@ISA= qw(RT::EasySearch);
-
-# {{{ sub _Init
-sub _Init {
- my $self = shift;
- $self->{'table'} = "ACL";
- $self->{'primary_key'} = "id";
- return ( $self->SUPER::_Init(@_));
-
-}
-# }}}
-# {{{ sub NewItem
-sub NewItem {
- my $self = shift;
- return(RT::ACE->new($self->CurrentUser));
-}
-# }}}
+use base 'RT::SearchBuilder';
+
+sub Table { 'ACL'}
+
+use strict;
+use warnings;
+
+
=head2 Next
=cut
-# {{{ sub Next
-sub Next {
- my $self = shift;
-
- my $ACE = $self->SUPER::Next();
- if ((defined($ACE)) and (ref($ACE))) {
-
- if ( $ACE->CurrentUserHasRight('ShowACL') or
- $ACE->CurrentUserHasRight('ModifyACL')
- ) {
- return($ACE);
- }
-
- #If the user doesn't have the right to show this ACE
- else {
- return($self->Next());
- }
- }
- #if there never was any ACE
- else {
- return(undef);
- }
-
-}
-# }}}
+=head2 LimitToObject $object
-=head1 Limit the ACL to a specific scope
+Limit the ACL to rights for the object $object. It needs to be an RT::Record class.
-There are two real scopes right now:
+=cut
-=item Queue is for rights that apply to a single queue
+sub LimitToObject {
+ my $self = shift;
+ my $obj = shift;
+
+ my $obj_type = ref($obj)||$obj;
+ my $obj_id = eval { $obj->id};
+
+ my $object_clause = 'possible_objects';
+ $self->_OpenParen($object_clause);
+ $self->Limit(
+ SUBCLAUSE => $object_clause,
+ FIELD => 'ObjectType',
+ OPERATOR => '=',
+ VALUE => (ref($obj)||$obj),
+ ENTRYAGGREGATOR => 'OR' # That "OR" applies to the separate objects we're searching on, not "Type Or ID"
+ );
+ if ($obj_id) {
+ $self->Limit(
+ SUBCLAUSE => $object_clause,
+ FIELD => 'ObjectId',
+ OPERATOR => '=',
+ VALUE => $obj_id,
+ ENTRYAGGREGATOR => 'AND',
+ QUOTEVALUE => 0
+ );
+ }
+ $self->_CloseParen($object_clause);
-=item System is for rights that apply to the System (rights that aren't queue related)
+}
-=head2 LimitToQueue
-Takes a single queueid as its argument.
+=head2 LimitNotObject $object
-Limit the ACL to just a given queue when supplied with an integer queue id.
+Limit the ACL to rights NOT on the object $object. $object needs to be
+an RT::Record class.
=cut
-sub LimitToQueue {
+sub LimitNotObject {
my $self = shift;
- my $queue = shift;
-
-
-
- $self->Limit( FIELD =>'RightScope',
+ my $obj = shift;
+ unless ( defined($obj)
+ && ref($obj)
+ && UNIVERSAL::can( $obj, 'id' )
+ && $obj->id )
+ {
+ return undef;
+ }
+ $self->Limit( FIELD => 'ObjectType',
+ OPERATOR => '!=',
+ VALUE => ref($obj),
ENTRYAGGREGATOR => 'OR',
- VALUE => 'Queue');
- $self->Limit( FIELD =>'RightScope',
+ SUBCLAUSE => $obj->id
+ );
+ $self->Limit( FIELD => 'ObjectId',
+ OPERATOR => '!=',
+ VALUE => $obj->id,
ENTRYAGGREGATOR => 'OR',
- VALUE => 'Ticket');
-
- $self->Limit(ENTRYAGGREGATOR => 'OR',
- FIELD => 'RightAppliesTo',
- VALUE => $queue );
-
+ QUOTEVALUE => 0,
+ SUBCLAUSE => $obj->id
+ );
}
-=head2 LimitToSystem()
-Limit the ACL to system rights
+=head2 LimitToPrincipal { Type => undef, Id => undef, IncludeGroupMembership => undef }
-=cut
-
-sub LimitToSystem {
- my $self = shift;
-
- $self->Limit( FIELD =>'RightScope',
- VALUE => 'System');
-}
-
-
-=head2 LimitRightTo
-
-Takes a single RightName as its only argument.
-Limits the search to the right $right.
-$right is a right listed in perldoc RT::ACE
-
-=cut
-
-sub LimitRightTo {
- my $self = shift;
- my $right = shift;
-
- $self->Limit(ENTRYAGGREGATOR => 'OR',
- FIELD => 'RightName',
- VALUE => $right );
-
-}
+Limit the ACL to the principal with PrincipalId Id and PrincipalType Type
-=head1 Limit to a specifc set of principals
+Id is not optional.
+Type is.
-=head2 LimitPrincipalToUser
+if IncludeGroupMembership => 1 is specified, ACEs which apply to the principal due to group membership will be included in the resultset.
-Takes a single userid as its only argument.
-Limit the ACL to a just a specific user.
=cut
-sub LimitPrincipalToUser {
- my $self = shift;
- my $user = shift;
-
- $self->Limit(ENTRYAGGREGATOR => 'OR',
- FIELD => 'PrincipalType',
- VALUE => 'User' );
-
- $self->Limit(ENTRYAGGREGATOR => 'OR',
- FIELD => 'PrincipalId',
- VALUE => $user );
-
+sub LimitToPrincipal {
+ my $self = shift;
+ my %args = ( Type => undef,
+ Id => undef,
+ IncludeGroupMembership => undef,
+ @_
+ );
+ if ( $args{'IncludeGroupMembership'} ) {
+ my $cgm = $self->NewAlias('CachedGroupMembers');
+ $self->Join( ALIAS1 => 'main',
+ FIELD1 => 'PrincipalId',
+ ALIAS2 => $cgm,
+ FIELD2 => 'GroupId'
+ );
+ $self->Limit( ALIAS => $cgm,
+ FIELD => 'Disabled',
+ VALUE => 0 );
+ $self->Limit( ALIAS => $cgm,
+ FIELD => 'MemberId',
+ OPERATOR => '=',
+ VALUE => $args{'Id'},
+ ENTRYAGGREGATOR => 'OR'
+ );
+ } else {
+ if ( defined $args{'Type'} ) {
+ $self->Limit( FIELD => 'PrincipalType',
+ OPERATOR => '=',
+ VALUE => $args{'Type'},
+ ENTRYAGGREGATOR => 'OR'
+ );
+ }
+
+ # if the principal id points to a user, we really want to point
+ # to their ACL equivalence group. The machinations we're going through
+ # lead me to start to suspect that we really want users and groups
+ # to just be the same table. or _maybe_ that we want an object db.
+ my $princ = RT::Principal->new( RT->SystemUser );
+ $princ->Load( $args{'Id'} );
+ if ( $princ->PrincipalType eq 'User' ) {
+ my $group = RT::Group->new( RT->SystemUser );
+ $group->LoadACLEquivalenceGroup($princ);
+ $args{'Id'} = $group->PrincipalId;
+ }
+ $self->Limit( FIELD => 'PrincipalId',
+ OPERATOR => '=',
+ VALUE => $args{'Id'},
+ ENTRYAGGREGATOR => 'OR'
+ );
+ }
}
-=head2 LimitPrincipalToGroup
-
-Takes a single group as its only argument.
-Limit the ACL to just a specific group.
-
-=cut
-
-sub LimitPrincipalToGroup {
- my $self = shift;
- my $group = shift;
-
- $self->Limit(ENTRYAGGREGATOR => 'OR',
- FIELD => 'PrincipalType',
- VALUE => 'Group' );
-
- $self->Limit(ENTRYAGGREGATOR => 'OR',
- FIELD => 'PrincipalId',
- VALUE => $group );
-
-}
-=head2 LimitPrincipalToType($type)
-Takes a single argument, $type.
-Limit the ACL to just a specific principal type
+sub AddRecord {
+ my $self = shift;
+ my ($record) = @_;
-$type is one of:
- TicketOwner
- TicketRequestor
- TicketCc
- TicketAdminCc
- Everyone
- User
- Group
+ # Short-circuit having to load up the ->Object
+ return $self->SUPER::AddRecord( $record )
+ if $record->CurrentUser->PrincipalObj->Id == RT->SystemUser->Id;
-=cut
+ my $obj = $record->Object;
+ return unless $self->CurrentUser->HasRight( Right => 'ShowACL',
+ Object => $obj )
+ or $self->CurrentUser->HasRight( Right => 'ModifyACL',
+ Object => $obj );
-sub LimitPrincipalToType {
- my $self=shift;
- my $type=shift;
- $self->Limit(ENTRYAGGREGATOR => 'OR',
- FIELD => 'PrincipalType',
- VALUE => $type );
+ return $self->SUPER::AddRecord( $record );
}
-=head2 LimitPrincipalToId
-
-Takes a single argument, the numeric Id of the principal to limit this ACL to. Repeated calls to this
-function will broaden the scope of the search to include all principals listed.
-
-=cut
-
-sub LimitPrincipalToId {
- my $self = shift;
- my $id = shift;
-
- if ($id =~ /^\d+$/) {
- $self->Limit(ENTRYAGGREGATOR => 'OR',
- FIELD => 'PrincipalId',
- VALUE => $id );
- }
- else {
- $RT::Logger->warn($self."->LimitPrincipalToId called with '$id' as an id");
- return undef;
- }
-}
#wrap around _DoSearch so that we can build the hash of returned
my $self = shift;
# $RT::Logger->debug("Now in ".$self."->_DoSearch");
my $return = $self->SUPER::_DoSearch(@_);
- # $RT::Logger->debug("In $self ->_DoSearch. return from SUPER::_DoSearch was $return\n");
- $self->_BuildHash();
+ # $RT::Logger->debug("In $self ->_DoSearch. return from SUPER::_DoSearch was $return");
+ if ( $self->{'must_redo_search'} ) {
+ $RT::Logger->crit(
+"_DoSearch is not so successful as it still needs redo search, won't call _BuildHash"
+ );
+ }
+ else {
+ $self->_BuildHash();
+ }
return ($return);
}
my $self = shift;
while (my $entry = $self->Next) {
- my $hashkey = $entry->RightScope . "-" .
- $entry->RightAppliesTo . "-" .
- $entry->RightName . "-" .
- $entry->PrincipalId . "-" .
- $entry->PrincipalType;
+ my $hashkey = join '-', map $entry->__Value( $_ ),
+ qw(ObjectType ObjectId RightName PrincipalId PrincipalType);
$self->{'as_hash'}->{"$hashkey"} =1;
}
-# {{{ HasEntry
=head2 HasEntry
}
# }}}
+
+
+=head2 NewItem
+
+Returns an empty new RT::ACE item
+
+=cut
+
+sub NewItem {
+ my $self = shift;
+ return(RT::ACE->new($self->CurrentUser));
+}
+RT::Base->_ImportOverlays();
+
1;