X-Git-Url: http://git.freeside.biz/gitweb/?p=freeside.git;a=blobdiff_plain;f=rt%2Flib%2FRT%2FACL.pm;h=83423ad9e295f56111dc2555e07fa55d3f1b22c1;hp=444a4c2af0e3f4809bf51c6374bdc2e9ab5f88d3;hb=919e930aa9279b3c5cd12b593889cd6de79d67bf;hpb=3ef62a0570055da710328937e7f65dbb2c027c62 diff --git a/rt/lib/RT/ACL.pm b/rt/lib/RT/ACL.pm index 444a4c2af..83423ad9e 100755 --- a/rt/lib/RT/ACL.pm +++ b/rt/lib/RT/ACL.pm @@ -1,6 +1,50 @@ -# $Header: /home/cvs/cvsroot/freeside/rt/lib/RT/ACL.pm,v 1.1 2002-08-12 06:17:07 ivan Exp $ -# Distributed under the terms of the GNU GPL -# Copyright (c) 2000 Jesse Vincent +# BEGIN BPS TAGGED BLOCK {{{ +# +# COPYRIGHT: +# +# This software is Copyright (c) 1996-2015 Best Practical Solutions, LLC +# +# +# (Except where explicitly superseded by other copyright notices) +# +# +# LICENSE: +# +# This work is made available to you under the terms of Version 2 of +# the GNU General Public License. A copy of that license should have +# been provided with this software, but in any event can be snarfed +# from www.gnu.org. +# +# This work is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301 or visit their web page on the internet at +# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. +# +# +# CONTRIBUTION SUBMISSION POLICY: +# +# (The following paragraph is not intended to limit the rights granted +# to you to modify and distribute this software under the terms of +# the GNU General Public License and is only of importance to you if +# you choose to contribute your changes and enhancements to the +# community by submitting them to Best Practical Solutions, LLC.) +# +# By intentionally submitting any modifications, corrections or +# derivatives to this work, or any other work intended for use with +# Request Tracker, to Best Practical Solutions, LLC, you confirm that +# you are the copyright holder for those contributions and you grant +# Best Practical Solutions, LLC a nonexclusive, worldwide, irrevocable, +# royalty-free, perpetual, license to use, copy, create derivative +# works based on those contributions, and sublicense and distribute +# those contributions and any derivatives thereof. +# +# END BPS TAGGED BLOCK }}} =head1 NAME @@ -9,43 +53,28 @@ =head1 SYNOPSIS use RT::ACL; -my $ACL = new RT::ACL($CurrentUser); +my $ACL = RT::ACL->new($CurrentUser); =head1 DESCRIPTION =head1 METHODS -=begin testing - -ok(require RT::TestHarness); -ok(require RT::ACL); - -=end testing =cut + package RT::ACL; -use RT::EasySearch; use RT::ACE; -@ISA= qw(RT::EasySearch); - -# {{{ sub _Init -sub _Init { - my $self = shift; - $self->{'table'} = "ACL"; - $self->{'primary_key'} = "id"; - return ( $self->SUPER::_Init(@_)); - -} -# }}} -# {{{ sub NewItem -sub NewItem { - my $self = shift; - return(RT::ACE->new($self->CurrentUser)); -} -# }}} +use base 'RT::SearchBuilder'; + +sub Table { 'ACL'} + +use strict; +use warnings; + + =head2 Next @@ -53,194 +82,164 @@ Hand out the next ACE that was found =cut -# {{{ sub Next -sub Next { - my $self = shift; - - my $ACE = $self->SUPER::Next(); - if ((defined($ACE)) and (ref($ACE))) { - - if ( $ACE->CurrentUserHasRight('ShowACL') or - $ACE->CurrentUserHasRight('ModifyACL') - ) { - return($ACE); - } - - #If the user doesn't have the right to show this ACE - else { - return($self->Next()); - } - } - #if there never was any ACE - else { - return(undef); - } - -} -# }}} +=head2 LimitToObject $object -=head1 Limit the ACL to a specific scope +Limit the ACL to rights for the object $object. It needs to be an RT::Record class. -There are two real scopes right now: +=cut -=item Queue is for rights that apply to a single queue +sub LimitToObject { + my $self = shift; + my $obj = shift; + + my $obj_type = ref($obj)||$obj; + my $obj_id = eval { $obj->id}; + + my $object_clause = 'possible_objects'; + $self->_OpenParen($object_clause); + $self->Limit( + SUBCLAUSE => $object_clause, + FIELD => 'ObjectType', + OPERATOR => '=', + VALUE => (ref($obj)||$obj), + ENTRYAGGREGATOR => 'OR' # That "OR" applies to the separate objects we're searching on, not "Type Or ID" + ); + if ($obj_id) { + $self->Limit( + SUBCLAUSE => $object_clause, + FIELD => 'ObjectId', + OPERATOR => '=', + VALUE => $obj_id, + ENTRYAGGREGATOR => 'AND', + QUOTEVALUE => 0 + ); + } + $self->_CloseParen($object_clause); -=item System is for rights that apply to the System (rights that aren't queue related) +} -=head2 LimitToQueue -Takes a single queueid as its argument. +=head2 LimitNotObject $object -Limit the ACL to just a given queue when supplied with an integer queue id. +Limit the ACL to rights NOT on the object $object. $object needs to be +an RT::Record class. =cut -sub LimitToQueue { +sub LimitNotObject { my $self = shift; - my $queue = shift; - - - - $self->Limit( FIELD =>'RightScope', + my $obj = shift; + unless ( defined($obj) + && ref($obj) + && UNIVERSAL::can( $obj, 'id' ) + && $obj->id ) + { + return undef; + } + $self->Limit( FIELD => 'ObjectType', + OPERATOR => '!=', + VALUE => ref($obj), ENTRYAGGREGATOR => 'OR', - VALUE => 'Queue'); - $self->Limit( FIELD =>'RightScope', + SUBCLAUSE => $obj->id + ); + $self->Limit( FIELD => 'ObjectId', + OPERATOR => '!=', + VALUE => $obj->id, ENTRYAGGREGATOR => 'OR', - VALUE => 'Ticket'); - - $self->Limit(ENTRYAGGREGATOR => 'OR', - FIELD => 'RightAppliesTo', - VALUE => $queue ); - + QUOTEVALUE => 0, + SUBCLAUSE => $obj->id + ); } -=head2 LimitToSystem() -Limit the ACL to system rights +=head2 LimitToPrincipal { Type => undef, Id => undef, IncludeGroupMembership => undef } -=cut - -sub LimitToSystem { - my $self = shift; - - $self->Limit( FIELD =>'RightScope', - VALUE => 'System'); -} - - -=head2 LimitRightTo - -Takes a single RightName as its only argument. -Limits the search to the right $right. -$right is a right listed in perldoc RT::ACE - -=cut - -sub LimitRightTo { - my $self = shift; - my $right = shift; - - $self->Limit(ENTRYAGGREGATOR => 'OR', - FIELD => 'RightName', - VALUE => $right ); - -} +Limit the ACL to the principal with PrincipalId Id and PrincipalType Type -=head1 Limit to a specifc set of principals +Id is not optional. +Type is. -=head2 LimitPrincipalToUser +if IncludeGroupMembership => 1 is specified, ACEs which apply to the principal due to group membership will be included in the resultset. -Takes a single userid as its only argument. -Limit the ACL to a just a specific user. =cut -sub LimitPrincipalToUser { - my $self = shift; - my $user = shift; - - $self->Limit(ENTRYAGGREGATOR => 'OR', - FIELD => 'PrincipalType', - VALUE => 'User' ); - - $self->Limit(ENTRYAGGREGATOR => 'OR', - FIELD => 'PrincipalId', - VALUE => $user ); - +sub LimitToPrincipal { + my $self = shift; + my %args = ( Type => undef, + Id => undef, + IncludeGroupMembership => undef, + @_ + ); + if ( $args{'IncludeGroupMembership'} ) { + my $cgm = $self->NewAlias('CachedGroupMembers'); + $self->Join( ALIAS1 => 'main', + FIELD1 => 'PrincipalId', + ALIAS2 => $cgm, + FIELD2 => 'GroupId' + ); + $self->Limit( ALIAS => $cgm, + FIELD => 'Disabled', + VALUE => 0 ); + $self->Limit( ALIAS => $cgm, + FIELD => 'MemberId', + OPERATOR => '=', + VALUE => $args{'Id'}, + ENTRYAGGREGATOR => 'OR' + ); + } else { + if ( defined $args{'Type'} ) { + $self->Limit( FIELD => 'PrincipalType', + OPERATOR => '=', + VALUE => $args{'Type'}, + ENTRYAGGREGATOR => 'OR' + ); + } + + # if the principal id points to a user, we really want to point + # to their ACL equivalence group. The machinations we're going through + # lead me to start to suspect that we really want users and groups + # to just be the same table. or _maybe_ that we want an object db. + my $princ = RT::Principal->new( RT->SystemUser ); + $princ->Load( $args{'Id'} ); + if ( $princ->PrincipalType eq 'User' ) { + my $group = RT::Group->new( RT->SystemUser ); + $group->LoadACLEquivalenceGroup($princ); + $args{'Id'} = $group->PrincipalId; + } + $self->Limit( FIELD => 'PrincipalId', + OPERATOR => '=', + VALUE => $args{'Id'}, + ENTRYAGGREGATOR => 'OR' + ); + } } -=head2 LimitPrincipalToGroup - -Takes a single group as its only argument. -Limit the ACL to just a specific group. - -=cut - -sub LimitPrincipalToGroup { - my $self = shift; - my $group = shift; - - $self->Limit(ENTRYAGGREGATOR => 'OR', - FIELD => 'PrincipalType', - VALUE => 'Group' ); - - $self->Limit(ENTRYAGGREGATOR => 'OR', - FIELD => 'PrincipalId', - VALUE => $group ); - -} -=head2 LimitPrincipalToType($type) -Takes a single argument, $type. -Limit the ACL to just a specific principal type +sub AddRecord { + my $self = shift; + my ($record) = @_; -$type is one of: - TicketOwner - TicketRequestor - TicketCc - TicketAdminCc - Everyone - User - Group + # Short-circuit having to load up the ->Object + return $self->SUPER::AddRecord( $record ) + if $record->CurrentUser->PrincipalObj->Id == RT->SystemUser->Id; -=cut + my $obj = $record->Object; + return unless $self->CurrentUser->HasRight( Right => 'ShowACL', + Object => $obj ) + or $self->CurrentUser->HasRight( Right => 'ModifyACL', + Object => $obj ); -sub LimitPrincipalToType { - my $self=shift; - my $type=shift; - $self->Limit(ENTRYAGGREGATOR => 'OR', - FIELD => 'PrincipalType', - VALUE => $type ); + return $self->SUPER::AddRecord( $record ); } -=head2 LimitPrincipalToId - -Takes a single argument, the numeric Id of the principal to limit this ACL to. Repeated calls to this -function will broaden the scope of the search to include all principals listed. - -=cut - -sub LimitPrincipalToId { - my $self = shift; - my $id = shift; - - if ($id =~ /^\d+$/) { - $self->Limit(ENTRYAGGREGATOR => 'OR', - FIELD => 'PrincipalId', - VALUE => $id ); - } - else { - $RT::Logger->warn($self."->LimitPrincipalToId called with '$id' as an id"); - return undef; - } -} #wrap around _DoSearch so that we can build the hash of returned @@ -249,8 +248,15 @@ sub _DoSearch { my $self = shift; # $RT::Logger->debug("Now in ".$self."->_DoSearch"); my $return = $self->SUPER::_DoSearch(@_); - # $RT::Logger->debug("In $self ->_DoSearch. return from SUPER::_DoSearch was $return\n"); - $self->_BuildHash(); + # $RT::Logger->debug("In $self ->_DoSearch. return from SUPER::_DoSearch was $return"); + if ( $self->{'must_redo_search'} ) { + $RT::Logger->crit( +"_DoSearch is not so successful as it still needs redo search, won't call _BuildHash" + ); + } + else { + $self->_BuildHash(); + } return ($return); } @@ -260,11 +266,8 @@ sub _BuildHash { my $self = shift; while (my $entry = $self->Next) { - my $hashkey = $entry->RightScope . "-" . - $entry->RightAppliesTo . "-" . - $entry->RightName . "-" . - $entry->PrincipalId . "-" . - $entry->PrincipalType; + my $hashkey = join '-', map $entry->__Value( $_ ), + qw(ObjectType ObjectId RightName PrincipalId PrincipalType); $self->{'as_hash'}->{"$hashkey"} =1; @@ -272,7 +275,6 @@ sub _BuildHash { } -# {{{ HasEntry =head2 HasEntry @@ -305,4 +307,18 @@ sub HasEntry { } # }}} + + +=head2 NewItem + +Returns an empty new RT::ACE item + +=cut + +sub NewItem { + my $self = shift; + return(RT::ACE->new($self->CurrentUser)); +} +RT::Base->_ImportOverlays(); + 1;