sub LimitToSystemInternalGroups {
my $self = shift;
$self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'SystemInternal');
- $self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => '');
+ # All system internal groups have the same instance. No reason to limit down further
+ #$self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => '0');
}
sub LimitToUserDefinedGroups {
my $self = shift;
$self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'UserDefined');
- $self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => '');
+ # All user-defined groups have the same instance. No reason to limit down further
+ #$self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => '');
}
}
+=head2 WithRight { Right => RIGHTNAME, Object => RT::Record, IncludeSystemRights => 1, IncludeSuperusers => 0 }
+
+
+Find all groups which have RIGHTNAME for RT::Record. Optionally include global rights and superusers. By default, include the global rights, but not the superusers.
+
+=begin testing
+
+my $q = RT::Queue->new($RT::SystemUser);
+my ($id, $msg) =$q->Create( Name => 'GlobalACLTest');
+ok ($id, $msg);
+
+my $testuser = RT::User->new($RT::SystemUser);
+($id,$msg) = $testuser->Create(Name => 'JustAnAdminCc');
+ok ($id,$msg);
+
+my $global_admin_cc = RT::Group->new($RT::SystemUser);
+$global_admin_cc->LoadSystemRoleGroup('AdminCc');
+ok($global_admin_cc->id, "Found the global admincc group");
+my $groups = RT::Groups->new($RT::SystemUser);
+$groups->WithRight(Right => 'OwnTicket', Object => $q);
+is($groups->Count, 1);
+($id, $msg) = $global_admin_cc->PrincipalObj->GrantRight(Right =>'OwnTicket', Object=> $RT::System);
+ok ($id,$msg);
+ok (!$testuser->HasRight(Object => $q, Right => 'OwnTicket') , "The test user does not have the right to own tickets in the test queue");
+($id, $msg) = $q->AddWatcher(Type => 'AdminCc', PrincipalId => $testuser->id);
+ok($id,$msg);
+ok ($testuser->HasRight(Object => $q, Right => 'OwnTicket') , "The test user does have the right to own tickets now. thank god.");
+
+$groups = RT::Groups->new($RT::SystemUser);
+$groups->WithRight(Right => 'OwnTicket', Object => $q);
+ok ($id,$msg);
+is($groups->Count, 2);
+
+=end testing
+
+
+=cut
+
+
sub WithRight {
my $self = shift;
my %args = ( Right => undef,
Object => => undef,
- IncludeSystemRights => undef,
+ IncludeSystemRights => 1,
IncludeSuperusers => undef,
@_ );
- my $groupprinc = $self->NewAlias('Principals');
my $acl = $self->NewAlias('ACL');
# {{{ Find only rows where the right granted is the one we're looking up or _possibly_ superuser
$self->Limit( ALIAS => $acl,
FIELD => 'RightName',
- OPERATOR => '=',
- VALUE => $args{Right},
+ OPERATOR => ($args{Right} ? '=' : 'IS NOT'),
+ VALUE => $args{Right} || 'NULL',
ENTRYAGGREGATOR => 'OR' );
- if ( $args{'IncludeSuperusers'} ) {
+ if ( $args{'IncludeSuperusers'} and $args{'Right'} ) {
$self->Limit( ALIAS => $acl,
FIELD => 'RightName',
OPERATOR => '=',
}
# }}}
- my ($or_check_ticket_roles, $or_check_roles, $or_look_at_object);
+ my ($or_check_ticket_roles, $or_check_roles);
+ my $which_object = "$acl.ObjectType = 'RT::System'";
if ( defined $args{'Object'} ) {
if ( ref($args{'Object'}) eq 'RT::Ticket' ) {
$or_check_roles =
" OR ( ( (main.Domain = 'RT::Queue-Role' AND main.Instance = " .
$args{'Object'}->Id . ") $or_check_ticket_roles ) " .
- " AND main.Type = $acl.PrincipalType AND main.id = $groupprinc.id) ";
+ " AND main.Type = $acl.PrincipalType) ";
}
- $or_look_at_object =
- " OR ($acl.ObjectType = '" . ref($args{'Object'}) . "'" .
+ if ( $args{'IncludeSystemRights'} ) {
+ $which_object .= ' OR ';
+ }
+ else {
+ $which_object = '';
+ }
+ $which_object .=
+ " ($acl.ObjectType = '" . ref($args{'Object'}) . "'" .
" AND $acl.ObjectId = " . $args{'Object'}->Id . ") ";
}
- $self->_AddSubClause( "WhichObject", "($acl.ObjectType = 'RT::System' $or_look_at_object)" );
+ $self->_AddSubClause( "WhichObject", "($which_object)" );
$self->_AddSubClause( "WhichGroup",
qq{
- ( ( $acl.PrincipalId = $groupprinc.id
+ ( ( $acl.PrincipalId = main.id
AND $acl.PrincipalType = 'Group'
AND ( main.Domain = 'SystemInternal'
OR main.Domain = 'UserDefined'
- OR main.Domain = 'ACLEquivalence')
- AND main.id = $groupprinc.id)
+ OR main.Domain = 'ACLEquivalence'))
$or_check_roles)
}
);
}
+# {{{ sub LimitToEnabled
+
+=head2 LimitToEnabled
+
+Only find items that haven\'t been disabled
+
+=cut
+
+sub LimitToEnabled {
+ my $self = shift;
+
+ my $alias = $self->Join(
+ TYPE => 'left',
+ ALIAS1 => 'main',
+ FIELD1 => 'id',
+ TABLE2 => 'Principals',
+ FIELD2 => 'id'
+ );
+
+ $self->Limit( ALIAS => $alias,
+ FIELD => 'Disabled',
+ VALUE => '0',
+ OPERATOR => '=' );
+}
+# }}}
+
+# {{{ sub LimitToDisabled
+
+=head2 LimitToDeleted
+
+Only find items that have been deleted.
+
+=cut
+
+sub LimitToDeleted {
+ my $self = shift;
+
+ my $alias = $self->Join(
+ TYPE => 'left',
+ ALIAS1 => 'main',
+ FIELD1 => 'id',
+ TABLE2 => 'Principals',
+ FIELD2 => 'id'
+ );
+
+ $self->{'find_disabled_rows'} = 1;
+ $self->Limit( ALIAS => $alias,
+ FIELD => 'Disabled',
+ OPERATOR => '=',
+ VALUE => '1'
+ );
+}
+# }}}
+
+sub _DoSearch {
+ my $self = shift;
+
+ #unless we really want to find disabled rows, make sure we\'re only finding enabled ones.
+ unless($self->{'find_disabled_rows'}) {
+ $self->LimitToEnabled();
+ }
+
+ return($self->SUPER::_DoSearch(@_));
+
+}
+
1;