Groups.pm 13.1 KB
Newer Older
1
# BEGIN BPS TAGGED BLOCK {{{
Jesse Vincent's avatar
Jesse Vincent committed
2
#
3
# COPYRIGHT:
Jesse Vincent's avatar
Jesse Vincent committed
4
#
5
# This software is Copyright (c) 1996-2012 Best Practical Solutions, LLC
Kevin Falcone's avatar
Kevin Falcone committed
6
#                                          <sales@bestpractical.com>
Jesse Vincent's avatar
Jesse Vincent committed
7
#
8
# (Except where explicitly superseded by other copyright notices)
Jesse Vincent's avatar
Jesse Vincent committed
9
10
#
#
11
# LICENSE:
Jesse Vincent's avatar
Jesse Vincent committed
12
#
13
14
15
# This work is made available to you under the terms of Version 2 of
# the GNU General Public License. A copy of that license should have
# been provided with this software, but in any event can be snarfed
16
# from www.gnu.org.
Jesse Vincent's avatar
Jesse Vincent committed
17
#
18
19
20
21
# This work is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
Jesse Vincent's avatar
Jesse Vincent committed
22
#
23
24
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
Jesse Vincent's avatar
Jesse Vincent committed
25
26
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301 or visit their web page on the internet at
Ruslan Zakirov's avatar
Ruslan Zakirov committed
27
# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
Jesse Vincent's avatar
Jesse Vincent committed
28
29
#
#
30
# CONTRIBUTION SUBMISSION POLICY:
Jesse Vincent's avatar
Jesse Vincent committed
31
#
32
33
34
35
36
# (The following paragraph is not intended to limit the rights granted
# to you to modify and distribute this software under the terms of
# the GNU General Public License and is only of importance to you if
# you choose to contribute your changes and enhancements to the
# community by submitting them to Best Practical Solutions, LLC.)
Jesse Vincent's avatar
Jesse Vincent committed
37
#
38
39
40
41
42
43
44
45
# By intentionally submitting any modifications, corrections or
# derivatives to this work, or any other work intended for use with
# Request Tracker, to Best Practical Solutions, LLC, you confirm that
# you are the copyright holder for those contributions and you grant
# Best Practical Solutions,  LLC a nonexclusive, worldwide, irrevocable,
# royalty-free, perpetual, license to use, copy, create derivative
# works based on those contributions, and sublicense and distribute
# those contributions and any derivatives thereof.
Jesse Vincent's avatar
Jesse Vincent committed
46
#
47
# END BPS TAGGED BLOCK }}}
48

Jesse Vincent's avatar
rt.2.1  
Jesse Vincent committed
49
50
51
52
53
54
55
=head1 NAME

  RT::Groups - a collection of RT::Group objects

=head1 SYNOPSIS

  use RT::Groups;
56
  my $groups = RT::Groups->new($CurrentUser);
Kevin Riggle's avatar
Kevin Riggle committed
57
  $groups->UnLimit();
Jesse Vincent's avatar
rt.2.1  
Jesse Vincent committed
58
59
60
61
62
63
64
65
66
67
68
69
70
  while (my $group = $groups->Next()) {
     print $group->Id ." is a group id\n";
  }

=head1 DESCRIPTION


=head1 METHODS



=cut

71
72
73

package RT::Groups;

74
use strict;
75
76
use warnings;

77
78
79
80
use base 'RT::SearchBuilder';

sub Table { 'Groups'}

81
use RT::Group;
Jesse Vincent's avatar
Jesse Vincent committed
82
83
84
85
86
87
88
use RT::Users;

# XXX: below some code is marked as subject to generalize in Groups, Users classes.
# RUZ suggest name Principals::Generic or Principals::Base as abstract class, but
# Jesse wants something that doesn't imply it's a Principals.pm subclass.
# See comments below for candidats.

Jesse Vincent's avatar
rt.2.1  
Jesse Vincent committed
89
90
91
92


sub _Init { 
  my $self = shift;
93
  $self->{'with_disabled_column'} = 1;
Jesse Vincent's avatar
rt.2.1  
Jesse Vincent committed
94

Jesse Vincent's avatar
Jesse Vincent committed
95
96
  my @result = $self->SUPER::_Init(@_);

Jesse Vincent's avatar
rt.2.1  
Jesse Vincent committed
97
98
99
100
  $self->OrderBy( ALIAS => 'main',
		  FIELD => 'Name',
		  ORDER => 'ASC');

Jesse Vincent's avatar
Jesse Vincent committed
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
  # XXX: this code should be generalized
  $self->{'princalias'} = $self->Join(
    ALIAS1 => 'main',
    FIELD1 => 'id',
    TABLE2 => 'Principals',
    FIELD2 => 'id'
  );

  # even if this condition is useless and ids in the Groups table
  # only match principals with type 'Group' this could speed up
  # searches in some DBs.
  $self->Limit( ALIAS => $self->{'princalias'},
                FIELD => 'PrincipalType',
                VALUE => 'Group',
              );

  return (@result);
Jesse Vincent's avatar
rt.2.1  
Jesse Vincent committed
118
119
}

Jesse Vincent's avatar
Jesse Vincent committed
120
121
122
123
124
125
126
127
128
129
130
131
132
133
=head2 PrincipalsAlias

Returns the string that represents this Users object's primary "Principals" alias.

=cut

# XXX: should be generalized, code duplication
sub PrincipalsAlias {
    my $self = shift;
    return($self->{'princalias'});

}


Jesse Vincent's avatar
rt.2.1  
Jesse Vincent committed
134

135
=head2 LimitToSystemInternalGroups
Jesse Vincent's avatar
rt.2.1  
Jesse Vincent committed
136

137
Return only SystemInternal Groups, such as "privileged" "unprivileged" and "everyone" 
Jesse Vincent's avatar
rt.2.1  
Jesse Vincent committed
138
139
140
141

=cut


142
sub LimitToSystemInternalGroups {
Jesse Vincent's avatar
rt.2.1  
Jesse Vincent committed
143
    my $self = shift;
144
    $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'SystemInternal');
145
146
    # All system internal groups have the same instance. No reason to limit down further
    #$self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => '0');
Jesse Vincent's avatar
rt.2.1  
Jesse Vincent committed
147
148
}

149
150
151



Shawn M Moore's avatar
Shawn M Moore committed
152
=head2 LimitToUserDefinedGroups
153
154
155
156
157
158
159
160
161

Return only UserDefined Groups

=cut


sub LimitToUserDefinedGroups {
    my $self = shift;
    $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'UserDefined');
162
163
    # All user-defined groups have the same instance. No reason to limit down further
    #$self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => '');
164
165
}

166
=head2 LimitToRolesForObject OBJECT
167

168
169
170
171
Limits the set of groups to role groups specifically for the object in question
based on the object's class and ID.  If the object has no ID, the roles are not
limited by group C<Instance>.  That is, calling this method on an unloaded
object will find all role groups for that class of object.
172

173
174
175
176
177
178
179
180
181
182
183
184
Replaces L</LimitToRolesForQueue>, L</LimitToRolesForTicket>, and
L</LimitToRolesForSystem>.

=cut

sub LimitToRolesForObject {
    my $self   = shift;
    my $object = shift;
    $self->Limit(FIELD => 'Domain',   OPERATOR => '=', VALUE => ref($object) . "-Role");
    $self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => $object->id)
        if $object->id and not ref($object) eq "RT::System";
}
185

Kevin Riggle's avatar
Kevin Riggle committed
186
=head2 LimitToRolesForQueue QUEUE_ID
187

188
189
B<DEPRECATED>. Use L</LimitToRolesForObject> instead.

190
191
192
193
194
195
196
Limits the set of groups found to role groups for queue QUEUE_ID

=cut

sub LimitToRolesForQueue {
    my $self = shift;
    my $queue = shift;
197
    RT->Logger->warning("LimitToRolesForQueue is deprecated; please change code to use LimitToRolesForObject (caller @{[join '/', caller]})");
198
    $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'RT::Queue-Role');
199
200
201
202
203
    $self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => $queue);
}



Kevin Riggle's avatar
Kevin Riggle committed
204
=head2 LimitToRolesForTicket Ticket_ID
205

206
207
B<DEPRECATED>. Use L</LimitToRolesForObject> instead.

208
209
210
211
212
213
214
Limits the set of groups found to role groups for Ticket Ticket_ID

=cut

sub LimitToRolesForTicket {
    my $self = shift;
    my $Ticket = shift;
215
    RT->Logger->warning("LimitToRolesForTicket is deprecated; please change code to use LimitToRolesForObject (caller @{[join '/', caller]})");
216
    $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'RT::Ticket-Role');
217
    $self->Limit(FIELD => 'Instance', OPERATOR => '=', VALUE => $Ticket);
218
219
220
221
}



Kevin Riggle's avatar
Kevin Riggle committed
222
=head2 LimitToRolesForSystem System_ID
223

224
225
B<DEPRECATED>. Use L</LimitToRolesForObject> instead.

226
227
228
229
230
231
Limits the set of groups found to role groups for System System_ID

=cut

sub LimitToRolesForSystem {
    my $self = shift;
232
    RT->Logger->warning("LimitToRolesForSystem is deprecated; please change code to use LimitToRolesForObject (caller @{[join '/', caller]})");
233
    $self->Limit(FIELD => 'Domain', OPERATOR => '=', VALUE => 'RT::System-Role');
234
235
}

Jesse Vincent's avatar
Jesse Vincent committed
236
237
238
239

=head2 WithMember {PrincipalId => PRINCIPAL_ID, Recursively => undef}

Limits the set of groups returned to groups which have
240
Principal PRINCIPAL_ID as a member. Returns the alias used for the join.
Jesse Vincent's avatar
Jesse Vincent committed
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255

=cut

sub WithMember {
    my $self = shift;
    my %args = ( PrincipalId => undef,
                 Recursively => undef,
                 @_);
    my $members;

    if ($args{'Recursively'}) {
        $members = $self->NewAlias('CachedGroupMembers');
    } else {
        $members = $self->NewAlias('GroupMembers');
    }
256
    $self->Join(ALIAS1 => 'main', FIELD1 => 'id',
Jesse Vincent's avatar
Jesse Vincent committed
257
258
259
                ALIAS2 => $members, FIELD2 => 'GroupId');

    $self->Limit(ALIAS => $members, FIELD => 'MemberId', OPERATOR => '=', VALUE => $args{'PrincipalId'});
260
261
    $self->Limit(ALIAS => $members, FIELD => 'Disabled', VALUE => 0)
        if $args{'Recursively'};
262
263

    return $members;
Jesse Vincent's avatar
Jesse Vincent committed
264
265
}

Ruslan Zakirov's avatar
Ruslan Zakirov committed
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
sub WithoutMember {
    my $self = shift;
    my %args = (
        PrincipalId => undef,
        Recursively => undef,
        @_
    );

    my $members = $args{'Recursively'} ? 'CachedGroupMembers' : 'GroupMembers';
    my $members_alias = $self->Join(
        TYPE   => 'LEFT',
        FIELD1 => 'id',
        TABLE2 => $members,
        FIELD2 => 'GroupId',
    );
    $self->Limit(
        LEFTJOIN => $members_alias,
        ALIAS    => $members_alias,
        FIELD    => 'MemberId',
        OPERATOR => '=',
        VALUE    => $args{'PrincipalId'},
    );
288
289
290
291
292
293
    $self->Limit(
        LEFTJOIN => $members_alias,
        ALIAS    => $members_alias,
        FIELD    => 'Disabled',
        VALUE    => 0
    ) if $args{'Recursively'};
Ruslan Zakirov's avatar
Ruslan Zakirov committed
294
295
296
297
298
299
300
301
    $self->Limit(
        ALIAS    => $members_alias,
        FIELD    => 'MemberId',
        OPERATOR => 'IS',
        VALUE    => 'NULL',
        QUOTEVALUE => 0,
    );
}
302

303
=head2 WithRight { Right => RIGHTNAME, Object => RT::Record, IncludeSystemRights => 1, IncludeSuperusers => 0, EquivObjects => [ ] }
Jesse Vincent's avatar
Jesse Vincent committed
304
305
306
307
308
309
310
311


Find all groups which have RIGHTNAME for RT::Record. Optionally include global rights and superusers. By default, include the global rights, but not the superusers.



=cut

Jesse Vincent's avatar
Jesse Vincent committed
312
#XXX: should be generilized
313
314
315
316
sub WithRight {
    my $self = shift;
    my %args = ( Right                  => undef,
                 Object =>              => undef,
317
                 IncludeSystemRights    => 1,
318
                 IncludeSuperusers      => undef,
Jesse Vincent's avatar
Jesse Vincent committed
319
                 IncludeSubgroupMembers => 0,
320
                 EquivObjects           => [ ],
321
322
                 @_ );

Jesse Vincent's avatar
Jesse Vincent committed
323
324
    my $from_role = $self->Clone;
    $from_role->WithRoleRight( %args );
325

Jesse Vincent's avatar
Jesse Vincent committed
326
327
328
329
330
    my $from_group = $self->Clone;
    $from_group->WithGroupRight( %args );

    #XXX: DIRTY HACK
    use DBIx::SearchBuilder::Union;
331
    my $union = DBIx::SearchBuilder::Union->new();
Jesse Vincent's avatar
Jesse Vincent committed
332
333
334
335
336
337
    $union->add($from_role);
    $union->add($from_group);
    %$self = %$union;
    bless $self, ref($union);

    return;
338
339
}

Jesse Vincent's avatar
Jesse Vincent committed
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
#XXX: methods are active aliases to Users class to prevent code duplication
# should be generalized
sub _JoinGroups {
    my $self = shift;
    my %args = (@_);
    return 'main' unless $args{'IncludeSubgroupMembers'};
    return $self->RT::Users::_JoinGroups( %args );
}
sub _JoinGroupMembers {
    my $self = shift;
    my %args = (@_);
    return 'main' unless $args{'IncludeSubgroupMembers'};
    return $self->RT::Users::_JoinGroupMembers( %args );
}
sub _JoinGroupMembersForGroupRights {
    my $self = shift;
    my %args = (@_);
    my $group_members = $self->_JoinGroupMembers( %args );
    unless( $group_members eq 'main' ) {
        return $self->RT::Users::_JoinGroupMembersForGroupRights( %args );
    }
    $self->Limit( ALIAS => $args{'ACLAlias'},
                  FIELD => 'PrincipalId',
                  VALUE => "main.id",
                  QUOTEVALUE => 0,
                );
}
367
368
369
370
371
372
sub _JoinACL                  { return (shift)->RT::Users::_JoinACL( @_ ) }
sub _RoleClauses              { return (shift)->RT::Users::_RoleClauses( @_ ) }
sub _WhoHaveRoleRightSplitted { return (shift)->RT::Users::_WhoHaveRoleRightSplitted( @_ ) }
sub _GetEquivObjects          { return (shift)->RT::Users::_GetEquivObjects( @_ ) }
sub WithGroupRight            { return (shift)->RT::Users::WhoHaveGroupRight( @_ ) }
sub WithRoleRight             { return (shift)->RT::Users::WhoHaveRoleRight( @_ ) }
Jesse Vincent's avatar
Jesse Vincent committed
373

374
375
376
377
378
379
380
381
sub ForWhichCurrentUserHasRight {
    my $self = shift;
    my %args = (
        Right => undef,
        IncludeSuperusers => undef,
        @_,
    );

382
383
384
385
    # Non-disabled groups...
    $self->LimitToEnabled;

    # ...which are the target object of an ACL with that right, or
386
387
388
389
390
    # where the target is the system object (a global right)
    my $acl = $self->_JoinACL( %args );
    $self->_AddSubClause(
        ACLObjects => "( (main.id = $acl.ObjectId AND $acl.ObjectType = 'RT::Group')"
                   . " OR $acl.ObjectType = 'RT::System')");
391

392
    # ...and where that right is granted to any group..
393
    my $member = $self->Join(
394
395
        ALIAS1 => $acl,
        FIELD1 => 'PrincipalId',
396
        TABLE2 => 'CachedGroupMembers',
397
        FIELD2 => 'GroupId',
398
    );
399
400
401
402
403
    $self->Limit(
        ALIAS => $member,
        FIELD => 'Disabled',
        VALUE => '0',
    );
404

405
406
407
408
409
    # ...with the current user in it
    $self->Limit(
        ALIAS => $member,
        FIELD => 'MemberId',
        VALUE => $self->CurrentUser->Id,
410
    );
411
412
413

    return;
}
414
415
416

=head2 LimitToEnabled

417
Only find items that haven't been disabled
418
419
420
421
422

=cut

sub LimitToEnabled {
    my $self = shift;
423
424
425
426
427
428
429

    $self->{'handled_disabled_column'} = 1;
    $self->Limit(
        ALIAS => $self->PrincipalsAlias,
        FIELD => 'Disabled',
        VALUE => '0',
    );
430
431
432
433
434
435
436
437
438
439
440
441
}


=head2 LimitToDeleted

Only find items that have been deleted.

=cut

sub LimitToDeleted {
    my $self = shift;
    
442
443
444
445
446
447
    $self->{'handled_disabled_column'} = $self->{'find_disabled_rows'} = 1;
    $self->Limit(
        ALIAS => $self->PrincipalsAlias,
        FIELD => 'Disabled',
        VALUE => 1,
    );
448
}
449

450

451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471

sub Next {
    my $self = shift;

    # Don't show groups which the user isn't allowed to see.

    my $Group = $self->SUPER::Next();
    if ((defined($Group)) and (ref($Group))) {
	unless ($Group->CurrentUserHasRight('SeeGroup')) {
	    return $self->Next();
	}
	
	return $Group;
    }
    else {
	return undef;
    }
}



472
473
474
sub _DoSearch {
    my $self = shift;
    
475
    #unless we really want to find disabled rows, make sure we're only finding enabled ones.
476
477
478
479
480
481
482
483
    unless($self->{'find_disabled_rows'}) {
	$self->LimitToEnabled();
    }
    
    return($self->SUPER::_DoSearch(@_));
    
}

Jesse Vincent's avatar
rt.2.1  
Jesse Vincent committed
484

485
486
487
488
489
490
491
492
493
494
495
496
497
498

=head2 NewItem

Returns an empty new RT::Group item

=cut

sub NewItem {
    my $self = shift;
    return(RT::Group->new($self->CurrentUser));
}
RT::Base->_ImportOverlays();

1;