X-Git-Url: http://git.freeside.biz/gitweb/?p=freeside.git;a=blobdiff_plain;f=rt%2Fdocs%2Fdesign_docs%2Facls;h=bb093adcbba8a392a2254accc32247bc88e120e9;hp=3b9d8567c52151b6dbb8ca1d3694946beb2017f7;hb=ded0451e9582df33cae6099a2fb72b4ea25076cf;hpb=0ebeec96313dd7edfca340f01f8fbbbac1f4aa1d diff --git a/rt/docs/design_docs/acls b/rt/docs/design_docs/acls index 3b9d8567c..bb093adcb 100644 --- a/rt/docs/design_docs/acls +++ b/rt/docs/design_docs/acls @@ -1,206 +1,50 @@ -$Header: /home/cvs/cvsroot/freeside/rt/docs/design_docs/acls,v 1.1 2002-08-12 06:17:07 ivan Exp $ +Does principal baz have right foo for object bar -# {{{ Requirements +What rights does user baz have for object bar -Here's the rough scheme I was thinking of for RT2 acls. Thoughts? I think -it's a lot more flexible than RT 1.0, but not so crazily complex that -it will be impossible to implement. One of the "interesting" features -is the ability to grant acls based on watcher status. This now lives -in design-docs/acls +# {{{ Which principals have right foo for object bar - jesse -Who can rights be granted to: +if ($args{'ObjectType'} eq 'Ticket') { + $or_check_ticket_roles = " OR ( Groups.Domain = 'TicketRole' AND Groups.Instance = '".$args{'ObjectId'}."') "; + # If we're looking at ticket rights, we also want to look at the associated queue rights. + # this is a little bit hacky, but basically, now that we've done the ticket roles magic, we load the queue object + # and ask all the rest of our questions about the queue. + my $tick = RT::Ticket->new($RT::SystemUser); + $tick->Load($args{'ObjectId'}); + $args{'ObjectType'} = 'Queue'; + $args{'ObjectId'} = $tick->QueueObj->Id(); - users whose id is - users who are watchers of type for - users who are watchers of type for - - -what scope do these rights apply to - queue - system - - -What rights can be granted - Display Ticket - Manipulate Ticket - Only users with manipulate ticket level access will see comments - Maniplulate Ticket Status - Create Ticket - - Admin Queue Watchers - Admin Ticket Watchers - Admin user accounts - Admin scrips - Admin scripscopes - Admin Queue ACLS - Admin System ACLs - -# }}} - - -# {{{ Prinicpals These are the entities in your Access Control Element -# - -Principal: What user does this right apply to - - Made up of: - PrincipalScope, PrincipalType and PrincipalId - - - User: - Scope: User - Type: null - Id: A userid or 0 - - Owner: - Scope: Owner - Type: null - Id: none - - - Watchers: - - Scope: Ticket - Type: Requestors; Cc; AdminCc - Id: A ticket id or 0 for "this ticket" - - Scope: Queue - Type: Cc; AdminCc - Id: A queue id or 0 for "this queue" - - -# }}} - -# {{{ Object: What object does this right apply to - - Object is composed of an ObjectType and an ObjectId - - Type: System - Id: NULL - - Type: Queue - Id: Integer ref to queue id or 0 for all queues - -# }}} - -# {{{ Right: (What does this entry give the principal the right to do) - - - - For the Object System: - System::SetACL - System::AdminScrips - - User::Display - User::Create - User::Destroy - User::Modify - User::SetPassword - - - - For the Object "Queue": - Queue::Admin - Queue::SetACL - Queue::Create - Queue::Display - Queue::Destroy - Queue::ModifyWatchers - Ticket::Create - Ticket::Destory - Ticket::Display - Ticket::Update - Ticket::UpdateRequestors - Ticket::UpdateCc - Ticket::UpdateAdminCc - Ticket::NotifyWatchers - - - DEFERRED - - Ticket::SetStatus: (Values) - Open - Resolved - Stalled - means any - - -# }}} - - -# {{{ Implementation: - -# {{{ SQL Schema -CREATE TABLE ACL ( - id int not null primary_key autoincrement, - PrinicpalId INT(11), - PrincipalType VARCHAR(16), - PrincipalScope VARCHAR(16), - ObjectType VARCHAR(16), - ObjectId INT, - Right VARCHAR(16) -); - -# }}} - -# {{{ perl implementation of rights searches - -sub Principals { -if (defined $Ticket) { - return "($UserPrincipal) OR ($OwnerPrincipal) OR ($WatchersPrincipal)"; - } -else { - return "($UserPrincipal) OR ($WatchersPrincipal)"; - } } - -$Principals = " ($UserPrincipal) OR ($OwnerPrincipal) OR ($WatchersPrincipal)"; - -$UserPrincipal = " ( ACE.PrincipalScope = 'User') AND - ( ACE.PrincipalId = $User OR ACE.PrincipalId = 0)"; - -$OwnerPrincipal = " ( ACE.PrinciaplScope = 'Owner') AND - ( Tickets.Owner = "$User ) AND - ( Tickets.Id = $Ticket)"; - -$WatchersPrincipal = " ( ACE.PrincipalScope = Watchers.Scope ) AND - ( ACE.PrincipalType = Watchers.Type ) AND - ( ACL.PrincipalId = Watchers.Value ) AND - ( Watchers.Owner = $User )"; - -$QueueObject = "( ACE.ObjectType = 'Queue' and (ACE.ObjectId = $Queue OR ACE.ObjectId = 0)"; - -$SystemObject = "( ACE.ObjectType = 'System' )"; - - -# This select statement would figure out if A user has $Right at the queue level - -SELECT ACE.id from ACE, Watchers, Tickets WHERE ( - $QueueObject - AND ( ACE.Right = $Right) - AND ($Principals)) +if ($args{'ObjectType'} eq 'Queue') { + $or_check_roles = " OR ( ( (Groups.Domain = 'QueueRole' AND Groups.Instance = '".$args{'ObjectId'}."') $or_check_ticket_roles ) + AND Groups.Type = ACL.PrincipalType AND Groups.Id = Principals.ObjectId AND Principals.PrincipalType = 'Group') "; +} -# This select statement would figure outif a user has $Right for the "System" +if (defined $args{'ObjectType'} ) { + $or_look_at_object_rights = " OR (ACL.ObjectType = '".$args{'ObjectType'}."' AND ACL.ObjectId = '".$args{'ObjectId'}."') "; -SELECT ACE.id from ACE, Watchers, Tickets WHERE ( - ($SystemObject) AND ( ACE.Right = $Right ) AND ($Principals)) +} -# }}} +my $query = "SELECT Users.* from ACL, Groups, Users, Principals, Principals UserPrinc, CachedGroupMembers WHERE + Users.id = UserPrinc.ObjectId AND UserPrinc.PrincipalType = 'User' AND + Principals.Id = CachedGroupMembers.GroupId AND + CachedGroupMembers.MemberId = UserPrinc.ObjectId AND + UserPrinc.PrincipalType = 'User' AND + (ACL.RightName = 'SuperUser' OR ACL.RightName = '$right') AND + (ACL.ObjectType = 'System' $or_look_at_object_rights) AND + ( + (ACL.PrincipalId = Principals.Id AND + Principals.ObjectId = Groups.Id AND + ACL.PrincipalType = 'Group' AND + (Groups.Domain = 'SystemInternal' OR Groups.Domain = 'UserDefined' OR Groups.Domain = 'ACLEquivalence') + ) + $or_check_roles + )"; # }}} -# {{{ Examples -# - -# }}} - - - -Unaddressed issues: - - There needs to be a more refined method for grouping users, such that members of the customer service department -can't change sysadmins' passwords. +What objects does principal baz have right foo for +;