X-Git-Url: http://git.freeside.biz/gitweb/?p=freeside.git;a=blobdiff_plain;f=rt%2Flib%2FRT%2FACL.pm;h=fb3f4011de5c0a3fafe8807e86bb5b1b5b5354d7;hp=444a4c2af0e3f4809bf51c6374bdc2e9ab5f88d3;hb=7322f2afedcc2f427e997d1535a503613a83f088;hpb=3ef62a0570055da710328937e7f65dbb2c027c62 diff --git a/rt/lib/RT/ACL.pm b/rt/lib/RT/ACL.pm index 444a4c2af..fb3f4011d 100755 --- a/rt/lib/RT/ACL.pm +++ b/rt/lib/RT/ACL.pm @@ -1,6 +1,50 @@ -# $Header: /home/cvs/cvsroot/freeside/rt/lib/RT/ACL.pm,v 1.1 2002-08-12 06:17:07 ivan Exp $ -# Distributed under the terms of the GNU GPL -# Copyright (c) 2000 Jesse Vincent +# BEGIN BPS TAGGED BLOCK {{{ +# +# COPYRIGHT: +# +# This software is Copyright (c) 1996-2016 Best Practical Solutions, LLC +# +# +# (Except where explicitly superseded by other copyright notices) +# +# +# LICENSE: +# +# This work is made available to you under the terms of Version 2 of +# the GNU General Public License. A copy of that license should have +# been provided with this software, but in any event can be snarfed +# from www.gnu.org. +# +# This work is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301 or visit their web page on the internet at +# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. +# +# +# CONTRIBUTION SUBMISSION POLICY: +# +# (The following paragraph is not intended to limit the rights granted +# to you to modify and distribute this software under the terms of +# the GNU General Public License and is only of importance to you if +# you choose to contribute your changes and enhancements to the +# community by submitting them to Best Practical Solutions, LLC.) +# +# By intentionally submitting any modifications, corrections or +# derivatives to this work, or any other work intended for use with +# Request Tracker, to Best Practical Solutions, LLC, you confirm that +# you are the copyright holder for those contributions and you grant +# Best Practical Solutions, LLC a nonexclusive, worldwide, irrevocable, +# royalty-free, perpetual, license to use, copy, create derivative +# works based on those contributions, and sublicense and distribute +# those contributions and any derivatives thereof. +# +# END BPS TAGGED BLOCK }}} =head1 NAME @@ -9,300 +53,161 @@ =head1 SYNOPSIS use RT::ACL; -my $ACL = new RT::ACL($CurrentUser); +my $ACL = RT::ACL->new($CurrentUser); =head1 DESCRIPTION =head1 METHODS -=begin testing - -ok(require RT::TestHarness); -ok(require RT::ACL); - -=end testing - -=cut - -package RT::ACL; -use RT::EasySearch; -use RT::ACE; -@ISA= qw(RT::EasySearch); - -# {{{ sub _Init -sub _Init { - my $self = shift; - $self->{'table'} = "ACL"; - $self->{'primary_key'} = "id"; - return ( $self->SUPER::_Init(@_)); - -} -# }}} - -# {{{ sub NewItem -sub NewItem { - my $self = shift; - return(RT::ACE->new($self->CurrentUser)); -} -# }}} - -=head2 Next - -Hand out the next ACE that was found - -=cut - -# {{{ sub Next -sub Next { - my $self = shift; - - my $ACE = $self->SUPER::Next(); - if ((defined($ACE)) and (ref($ACE))) { - - if ( $ACE->CurrentUserHasRight('ShowACL') or - $ACE->CurrentUserHasRight('ModifyACL') - ) { - return($ACE); - } - - #If the user doesn't have the right to show this ACE - else { - return($self->Next()); - } - } - #if there never was any ACE - else { - return(undef); - } - -} - -# }}} - - -=head1 Limit the ACL to a specific scope - -There are two real scopes right now: - -=item Queue is for rights that apply to a single queue - -=item System is for rights that apply to the System (rights that aren't queue related) - - -=head2 LimitToQueue - -Takes a single queueid as its argument. - -Limit the ACL to just a given queue when supplied with an integer queue id. =cut -sub LimitToQueue { - my $self = shift; - my $queue = shift; - - - - $self->Limit( FIELD =>'RightScope', - ENTRYAGGREGATOR => 'OR', - VALUE => 'Queue'); - $self->Limit( FIELD =>'RightScope', - ENTRYAGGREGATOR => 'OR', - VALUE => 'Ticket'); - - $self->Limit(ENTRYAGGREGATOR => 'OR', - FIELD => 'RightAppliesTo', - VALUE => $queue ); - -} +package RT::ACL; +use base 'RT::SearchBuilder'; -=head2 LimitToSystem() +use RT::ACE; -Limit the ACL to system rights +sub Table { 'ACL'} -=cut +use strict; +use warnings; -sub LimitToSystem { - my $self = shift; - - $self->Limit( FIELD =>'RightScope', - VALUE => 'System'); -} -=head2 LimitRightTo +=head2 Next -Takes a single RightName as its only argument. -Limits the search to the right $right. -$right is a right listed in perldoc RT::ACE +Hand out the next ACE that was found =cut -sub LimitRightTo { - my $self = shift; - my $right = shift; - - $self->Limit(ENTRYAGGREGATOR => 'OR', - FIELD => 'RightName', - VALUE => $right ); - -} -=head1 Limit to a specifc set of principals -=head2 LimitPrincipalToUser +=head2 LimitToObject $object -Takes a single userid as its only argument. -Limit the ACL to a just a specific user. +Limit the ACL to rights for the object $object. It needs to be an RT::Record class. =cut -sub LimitPrincipalToUser { - my $self = shift; - my $user = shift; - - $self->Limit(ENTRYAGGREGATOR => 'OR', - FIELD => 'PrincipalType', - VALUE => 'User' ); - - $self->Limit(ENTRYAGGREGATOR => 'OR', - FIELD => 'PrincipalId', - VALUE => $user ); - -} - - -=head2 LimitPrincipalToGroup - -Takes a single group as its only argument. -Limit the ACL to just a specific group. - -=cut - -sub LimitPrincipalToGroup { - my $self = shift; - my $group = shift; - - $self->Limit(ENTRYAGGREGATOR => 'OR', - FIELD => 'PrincipalType', - VALUE => 'Group' ); - - $self->Limit(ENTRYAGGREGATOR => 'OR', - FIELD => 'PrincipalId', - VALUE => $group ); +sub LimitToObject { + my $self = shift; + my $obj = shift; + + my $obj_type = ref($obj)||$obj; + my $obj_id = eval { $obj->id}; + + my $object_clause = 'possible_objects'; + $self->_OpenParen($object_clause); + $self->Limit( + SUBCLAUSE => $object_clause, + FIELD => 'ObjectType', + OPERATOR => '=', + VALUE => (ref($obj)||$obj), + ENTRYAGGREGATOR => 'OR' # That "OR" applies to the separate objects we're searching on, not "Type Or ID" + ); + if ($obj_id) { + $self->Limit( + SUBCLAUSE => $object_clause, + FIELD => 'ObjectId', + OPERATOR => '=', + VALUE => $obj_id, + ENTRYAGGREGATOR => 'AND', + QUOTEVALUE => 0 + ); + } + $self->_CloseParen($object_clause); } -=head2 LimitPrincipalToType($type) -Takes a single argument, $type. -Limit the ACL to just a specific principal type -$type is one of: - TicketOwner - TicketRequestor - TicketCc - TicketAdminCc - Everyone - User - Group +=head2 LimitToPrincipal { Type => undef, Id => undef, IncludeGroupMembership => undef } -=cut +Limit the ACL to the principal with PrincipalId Id and PrincipalType Type -sub LimitPrincipalToType { - my $self=shift; - my $type=shift; - $self->Limit(ENTRYAGGREGATOR => 'OR', - FIELD => 'PrincipalType', - VALUE => $type ); -} +Id is not optional. +Type is. +if IncludeGroupMembership => 1 is specified, ACEs which apply to the principal due to group membership will be included in the resultset. -=head2 LimitPrincipalToId - -Takes a single argument, the numeric Id of the principal to limit this ACL to. Repeated calls to this -function will broaden the scope of the search to include all principals listed. =cut -sub LimitPrincipalToId { +sub LimitToPrincipal { my $self = shift; - my $id = shift; - - if ($id =~ /^\d+$/) { - $self->Limit(ENTRYAGGREGATOR => 'OR', - FIELD => 'PrincipalId', - VALUE => $id ); - } - else { - $RT::Logger->warn($self."->LimitPrincipalToId called with '$id' as an id"); - return undef; + my %args = ( Type => undef, + Id => undef, + IncludeGroupMembership => undef, + @_ + ); + if ( $args{'IncludeGroupMembership'} ) { + my $cgm = $self->NewAlias('CachedGroupMembers'); + $self->Join( ALIAS1 => 'main', + FIELD1 => 'PrincipalId', + ALIAS2 => $cgm, + FIELD2 => 'GroupId' + ); + $self->Limit( ALIAS => $cgm, + FIELD => 'Disabled', + VALUE => 0 ); + $self->Limit( ALIAS => $cgm, + FIELD => 'MemberId', + OPERATOR => '=', + VALUE => $args{'Id'}, + ENTRYAGGREGATOR => 'OR' + ); + } else { + if ( defined $args{'Type'} ) { + $self->Limit( FIELD => 'PrincipalType', + OPERATOR => '=', + VALUE => $args{'Type'}, + ENTRYAGGREGATOR => 'OR' + ); + } + + # if the principal id points to a user, we really want to point + # to their ACL equivalence group. The machinations we're going through + # lead me to start to suspect that we really want users and groups + # to just be the same table. or _maybe_ that we want an object db. + my $princ = RT::Principal->new( RT->SystemUser ); + $princ->Load( $args{'Id'} ); + if ( $princ->PrincipalType eq 'User' ) { + my $group = RT::Group->new( RT->SystemUser ); + $group->LoadACLEquivalenceGroup($princ); + $args{'Id'} = $group->PrincipalId; + } + $self->Limit( FIELD => 'PrincipalId', + OPERATOR => '=', + VALUE => $args{'Id'}, + ENTRYAGGREGATOR => 'OR' + ); } } -#wrap around _DoSearch so that we can build the hash of returned -#values -sub _DoSearch { - my $self = shift; - # $RT::Logger->debug("Now in ".$self."->_DoSearch"); - my $return = $self->SUPER::_DoSearch(@_); - # $RT::Logger->debug("In $self ->_DoSearch. return from SUPER::_DoSearch was $return\n"); - $self->_BuildHash(); - return ($return); -} -#Build a hash of this ACL's entries. -sub _BuildHash { +sub AddRecord { my $self = shift; + my ($record) = @_; - while (my $entry = $self->Next) { - my $hashkey = $entry->RightScope . "-" . - $entry->RightAppliesTo . "-" . - $entry->RightName . "-" . - $entry->PrincipalId . "-" . - $entry->PrincipalType; + # Short-circuit having to load up the ->Object + return $self->SUPER::AddRecord( $record ) + if $record->CurrentUser->PrincipalObj->Id == RT->SystemUser->Id; - $self->{'as_hash'}->{"$hashkey"} =1; + my $obj = $record->Object; + return unless $self->CurrentUser->HasRight( Right => 'ShowACL', + Object => $obj ) + or $self->CurrentUser->HasRight( Right => 'ModifyACL', + Object => $obj ); - } + return $self->SUPER::AddRecord( $record ); } +# The singular of ACL is ACE. +sub _SingularClass { "RT::ACE" } -# {{{ HasEntry - -=head2 HasEntry - -=cut - -sub HasEntry { - - my $self = shift; - my %args = ( RightScope => undef, - RightAppliesTo => undef, - RightName => undef, - PrincipalId => undef, - PrincipalType => undef, - @_ ); - - #if we haven't done the search yet, do it now. - $self->_DoSearch(); - - if ($self->{'as_hash'}->{ $args{'RightScope'} . "-" . - $args{'RightAppliesTo'} . "-" . - $args{'RightName'} . "-" . - $args{'PrincipalId'} . "-" . - $args{'PrincipalType'} - } == 1) { - return(1); - } - else { - return(undef); - } -} +RT::Base->_ImportOverlays(); -# }}} 1;