X-Git-Url: http://git.freeside.biz/gitweb/?p=freeside.git;a=blobdiff_plain;f=rt%2Flib%2FRT%2FACL.pm;h=83423ad9e295f56111dc2555e07fa55d3f1b22c1;hp=81f59c6d07bc2d6c9dd684715a53465e53b10cfc;hb=919e930aa9279b3c5cd12b593889cd6de79d67bf;hpb=624b2d44625f69d71175c3348cae635d580c890b diff --git a/rt/lib/RT/ACL.pm b/rt/lib/RT/ACL.pm index 81f59c6d0..83423ad9e 100755 --- a/rt/lib/RT/ACL.pm +++ b/rt/lib/RT/ACL.pm @@ -1,115 +1,324 @@ -# BEGIN LICENSE BLOCK -# -# Copyright (c) 1996-2003 Jesse Vincent -# -# (Except where explictly superceded by other copyright notices) -# +# BEGIN BPS TAGGED BLOCK {{{ +# +# COPYRIGHT: +# +# This software is Copyright (c) 1996-2015 Best Practical Solutions, LLC +# +# +# (Except where explicitly superseded by other copyright notices) +# +# +# LICENSE: +# # This work is made available to you under the terms of Version 2 of # the GNU General Public License. A copy of that license should have # been provided with this software, but in any event can be snarfed # from www.gnu.org. -# +# # This work is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. -# -# Unless otherwise specified, all modifications, corrections or -# extensions to this work which alter its source code become the -# property of Best Practical Solutions, LLC when submitted for -# inclusion in the work. -# -# -# END LICENSE BLOCK -# Autogenerated by DBIx::SearchBuilder factory (by ) -# WARNING: THIS FILE IS AUTOGENERATED. ALL CHANGES TO THIS FILE WILL BE LOST. -# -# !! DO NOT EDIT THIS FILE !! # - -use strict; - +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301 or visit their web page on the internet at +# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. +# +# +# CONTRIBUTION SUBMISSION POLICY: +# +# (The following paragraph is not intended to limit the rights granted +# to you to modify and distribute this software under the terms of +# the GNU General Public License and is only of importance to you if +# you choose to contribute your changes and enhancements to the +# community by submitting them to Best Practical Solutions, LLC.) +# +# By intentionally submitting any modifications, corrections or +# derivatives to this work, or any other work intended for use with +# Request Tracker, to Best Practical Solutions, LLC, you confirm that +# you are the copyright holder for those contributions and you grant +# Best Practical Solutions, LLC a nonexclusive, worldwide, irrevocable, +# royalty-free, perpetual, license to use, copy, create derivative +# works based on those contributions, and sublicense and distribute +# those contributions and any derivatives thereof. +# +# END BPS TAGGED BLOCK }}} =head1 NAME - RT::ACL -- Class Description - + RT::ACL - collection of RT ACE objects + =head1 SYNOPSIS - use RT::ACL + use RT::ACL; +my $ACL = RT::ACL->new($CurrentUser); =head1 DESCRIPTION =head1 METHODS + =cut -package RT::ACL; -use RT::SearchBuilder; +package RT::ACL; use RT::ACE; -use vars qw( @ISA ); -@ISA= qw(RT::SearchBuilder); +use base 'RT::SearchBuilder'; +sub Table { 'ACL'} -sub _Init { +use strict; +use warnings; + + + +=head2 Next + +Hand out the next ACE that was found + +=cut + + + +=head2 LimitToObject $object + +Limit the ACL to rights for the object $object. It needs to be an RT::Record class. + +=cut + +sub LimitToObject { my $self = shift; - $self->{'table'} = 'ACL'; - $self->{'primary_key'} = 'id'; + my $obj = shift; + + my $obj_type = ref($obj)||$obj; + my $obj_id = eval { $obj->id}; + + my $object_clause = 'possible_objects'; + $self->_OpenParen($object_clause); + $self->Limit( + SUBCLAUSE => $object_clause, + FIELD => 'ObjectType', + OPERATOR => '=', + VALUE => (ref($obj)||$obj), + ENTRYAGGREGATOR => 'OR' # That "OR" applies to the separate objects we're searching on, not "Type Or ID" + ); + if ($obj_id) { + $self->Limit( + SUBCLAUSE => $object_clause, + FIELD => 'ObjectId', + OPERATOR => '=', + VALUE => $obj_id, + ENTRYAGGREGATOR => 'AND', + QUOTEVALUE => 0 + ); + } + $self->_CloseParen($object_clause); + +} + + + +=head2 LimitNotObject $object +Limit the ACL to rights NOT on the object $object. $object needs to be +an RT::Record class. - return ( $self->SUPER::_Init(@_) ); +=cut + +sub LimitNotObject { + my $self = shift; + my $obj = shift; + unless ( defined($obj) + && ref($obj) + && UNIVERSAL::can( $obj, 'id' ) + && $obj->id ) + { + return undef; + } + $self->Limit( FIELD => 'ObjectType', + OPERATOR => '!=', + VALUE => ref($obj), + ENTRYAGGREGATOR => 'OR', + SUBCLAUSE => $obj->id + ); + $self->Limit( FIELD => 'ObjectId', + OPERATOR => '!=', + VALUE => $obj->id, + ENTRYAGGREGATOR => 'OR', + QUOTEVALUE => 0, + SUBCLAUSE => $obj->id + ); } -=item NewItem -Returns an empty new RT::ACE item +=head2 LimitToPrincipal { Type => undef, Id => undef, IncludeGroupMembership => undef } + +Limit the ACL to the principal with PrincipalId Id and PrincipalType Type + +Id is not optional. +Type is. + +if IncludeGroupMembership => 1 is specified, ACEs which apply to the principal due to group membership will be included in the resultset. + =cut -sub NewItem { +sub LimitToPrincipal { my $self = shift; - return(RT::ACE->new($self->CurrentUser)); + my %args = ( Type => undef, + Id => undef, + IncludeGroupMembership => undef, + @_ + ); + if ( $args{'IncludeGroupMembership'} ) { + my $cgm = $self->NewAlias('CachedGroupMembers'); + $self->Join( ALIAS1 => 'main', + FIELD1 => 'PrincipalId', + ALIAS2 => $cgm, + FIELD2 => 'GroupId' + ); + $self->Limit( ALIAS => $cgm, + FIELD => 'Disabled', + VALUE => 0 ); + $self->Limit( ALIAS => $cgm, + FIELD => 'MemberId', + OPERATOR => '=', + VALUE => $args{'Id'}, + ENTRYAGGREGATOR => 'OR' + ); + } else { + if ( defined $args{'Type'} ) { + $self->Limit( FIELD => 'PrincipalType', + OPERATOR => '=', + VALUE => $args{'Type'}, + ENTRYAGGREGATOR => 'OR' + ); + } + + # if the principal id points to a user, we really want to point + # to their ACL equivalence group. The machinations we're going through + # lead me to start to suspect that we really want users and groups + # to just be the same table. or _maybe_ that we want an object db. + my $princ = RT::Principal->new( RT->SystemUser ); + $princ->Load( $args{'Id'} ); + if ( $princ->PrincipalType eq 'User' ) { + my $group = RT::Group->new( RT->SystemUser ); + $group->LoadACLEquivalenceGroup($princ); + $args{'Id'} = $group->PrincipalId; + } + $self->Limit( FIELD => 'PrincipalId', + OPERATOR => '=', + VALUE => $args{'Id'}, + ENTRYAGGREGATOR => 'OR' + ); + } } - eval "require RT::ACL_Overlay"; - if ($@ && $@ !~ qr{^Can't locate RT/ACL_Overlay.pm}) { - die $@; - }; - eval "require RT::ACL_Vendor"; - if ($@ && $@ !~ qr{^Can't locate RT/ACL_Vendor.pm}) { - die $@; - }; - eval "require RT::ACL_Local"; - if ($@ && $@ !~ qr{^Can't locate RT/ACL_Local.pm}) { - die $@; - }; +sub AddRecord { + my $self = shift; + my ($record) = @_; + # Short-circuit having to load up the ->Object + return $self->SUPER::AddRecord( $record ) + if $record->CurrentUser->PrincipalObj->Id == RT->SystemUser->Id; + my $obj = $record->Object; + return unless $self->CurrentUser->HasRight( Right => 'ShowACL', + Object => $obj ) + or $self->CurrentUser->HasRight( Right => 'ModifyACL', + Object => $obj ); -=head1 SEE ALSO + return $self->SUPER::AddRecord( $record ); +} -This class allows "overlay" methods to be placed -into the following files _Overlay is for a System overlay by the original author, -_Vendor is for 3rd-party vendor add-ons, while _Local is for site-local customizations. -These overlay files can contain new subs or subs to replace existing subs in this module. -If you'll be working with perl 5.6.0 or greater, each of these files should begin with the line - no warnings qw(redefine); +#wrap around _DoSearch so that we can build the hash of returned +#values +sub _DoSearch { + my $self = shift; + # $RT::Logger->debug("Now in ".$self."->_DoSearch"); + my $return = $self->SUPER::_DoSearch(@_); + # $RT::Logger->debug("In $self ->_DoSearch. return from SUPER::_DoSearch was $return"); + if ( $self->{'must_redo_search'} ) { + $RT::Logger->crit( +"_DoSearch is not so successful as it still needs redo search, won't call _BuildHash" + ); + } + else { + $self->_BuildHash(); + } + return ($return); +} -so that perl does not kick and scream when you redefine a subroutine or variable in your overlay. -RT::ACL_Overlay, RT::ACL_Vendor, RT::ACL_Local +#Build a hash of this ACL's entries. +sub _BuildHash { + my $self = shift; + + while (my $entry = $self->Next) { + my $hashkey = join '-', map $entry->__Value( $_ ), + qw(ObjectType ObjectId RightName PrincipalId PrincipalType); + + $self->{'as_hash'}->{"$hashkey"} =1; + + } +} + + + +=head2 HasEntry + +=cut + +sub HasEntry { + + my $self = shift; + my %args = ( RightScope => undef, + RightAppliesTo => undef, + RightName => undef, + PrincipalId => undef, + PrincipalType => undef, + @_ ); + + #if we haven't done the search yet, do it now. + $self->_DoSearch(); + + if ($self->{'as_hash'}->{ $args{'RightScope'} . "-" . + $args{'RightAppliesTo'} . "-" . + $args{'RightName'} . "-" . + $args{'PrincipalId'} . "-" . + $args{'PrincipalType'} + } == 1) { + return(1); + } + else { + return(undef); + } +} + +# }}} + + +=head2 NewItem + +Returns an empty new RT::ACE item =cut +sub NewItem { + my $self = shift; + return(RT::ACE->new($self->CurrentUser)); +} +RT::Base->_ImportOverlays(); 1;