rt 4.2.13 ticket#13852

[freeside.git] / rt / share / html / Helpers / Autocomplete / CustomFieldValues

diff --git a/rt/share/html/Helpers/Autocomplete/CustomFieldValues b/rt/share/html/Helpers/Autocomplete/CustomFieldValues
index b8b21e4..6c822b1 100644 (file)
--- a/rt/share/html/Helpers/Autocomplete/CustomFieldValues
+++ b/rt/share/html/Helpers/Autocomplete/CustomFieldValues
@@ -2,7 +2,7 @@
 %#
 %# COPYRIGHT:
 %#
-%# This software is Copyright (c) 1996-2012 Best Practical Solutions, LLC
+%# This software is Copyright (c) 1996-2016 Best Practical Solutions, LLC
 %#                                          <sales@bestpractical.com>
 %#
 %# (Except where explicitly superseded by other copyright notices)
@@ -45,23 +45,69 @@
 %# those contributions and any derivatives thereof.
 %#
 %# END BPS TAGGED BLOCK }}}
-% $r->content_type('application/json');
+% $r->content_type('application/json; charset=utf-8');
 <% JSON( \@suggestions ) |n %>
 % $m->abort;
 <%INIT>
 # Only autocomplete the last value
 my $term = (split /\n/, $ARGS{term} || '')[-1];
 
+my $abort = sub {
+    $r->content_type('application/json; charset=utf-8');
+    $m->out(JSON( [] ));
+    $m->abort;
+};
+
+unless ( exists $ARGS{ContextType} and exists $ARGS{ContextId} ) {
+    RT->Logger->debug("No context provided");
+    $abort->();
+}
+
+# Use _ParseObjectCustomFieldArgs to avoid duplicating the regex.
+# See the docs for _ParseObjectCustomFieldArgs for details on the data
+# structure returned. There will be only one CF, so drill down 2 layers
+# to get the cf id, if one is there.
+
+my %custom_fields = _ParseObjectCustomFieldArgs(\%ARGS);
 my $CustomField;
-for my $k ( keys %ARGS ) {
-    next unless $k =~ /^Object-.*?-\d*-CustomField-(\d+)-Values?$/;
-    $CustomField = $1;
-    last;
+foreach my $class ( keys %custom_fields ){
+    foreach my $id ( keys %{$custom_fields{$class}} ){
+        ($CustomField) = keys %{$custom_fields{$class}{$id}};
+    }
 }
 
-$m->abort unless $CustomField;
+unless ( $CustomField ) {
+    RT->Logger->debug("No CustomField provided");
+    $abort->();
+}
+
+my $SystemCustomFieldObj = RT::CustomField->new( RT->SystemUser );
+my ($id, $msg) = $SystemCustomFieldObj->LoadById( $CustomField ) ;
+unless ( $id ) {
+    RT->Logger->debug("Invalid CustomField provided: $msg");
+    $abort->();
+}
+
+my $context_object = $SystemCustomFieldObj->LoadContextObject(
+    $ARGS{ContextType}, $ARGS{ContextId} );
+$abort->() unless $context_object;
+
 my $CustomFieldObj = RT::CustomField->new( $session{'CurrentUser'} );
-$CustomFieldObj->Load( $CustomField );
+if ( $SystemCustomFieldObj->ValidateContextObject($context_object) ) {
+    # drop our privileges that came from calling LoadContextObject as the System User
+    $context_object->new($session{'CurrentUser'});
+    $context_object->LoadById($ARGS{ContextId});
+    $CustomFieldObj->SetContextObject( $context_object );
+} else {
+    RT->Logger->debug("Invalid Context Object ".$context_object->id." for Custom Field ".$SystemCustomFieldObj->id);
+    $abort->();
+}
+
+($id, $msg) = $CustomFieldObj->LoadById( $CustomField );
+unless ( $CustomFieldObj->Name ) {
+    RT->Logger->debug("Current User cannot see this Custom Field, terminating");
+    $abort->();
+}
 
 my $values = $CustomFieldObj->Values;
 $values->Limit(
@@ -79,6 +125,13 @@ $values->Limit(
     SUBCLAUSE       => 'autocomplete',
     CASESENSITIVE   => 0,
 );
+$m->callback(
+    CallbackName => 'ModifyMaxResults',
+    max => \$ARGS{max},
+    term => $term,
+    CustomField => $CustomFieldObj,
+);
+$values->RowsPerPage( $ARGS{max} // 10 );
 
 my @suggestions;