Commit 57be888c authored by Jesse Vincent's avatar Jesse Vincent
Browse files

Refactored the ACL system to be more extensible

parent 65c6da87
......@@ -31,7 +31,7 @@ GETPARAM = $(PERL) -e'require "$(CONFIG_FILE)"; print $${$$RT::{$$ARGV[0]}};'
RT_VERSION_MAJOR = 2
RT_VERSION_MINOR = 1
RT_VERSION_PATCH = 40
RT_VERSION_PATCH = 41
RT_VERSION = $(RT_VERSION_MAJOR).$(RT_VERSION_MINOR).$(RT_VERSION_PATCH)
TAG = rt-$(RT_VERSION_MAJOR)-$(RT_VERSION_MINOR)-$(RT_VERSION_PATCH)
......
......@@ -847,10 +847,12 @@ sub AdminRights {
require RT::ACL;
my $acl = new RT::ACL($CurrentUser);
if ( $queue != 0 ) {
$acl->LimitToObject(Type => "Queue", Id=>$queue);
my $queue_obj = RT::Queue->new($CurrentUser);
$queue_obj->Load($queue);
$acl->LimitToObject($queue_obj);
}
else {
$acl->LimitToObject(Type => 'System');
$acl->LimitToObject($RT::System);
}
while ( my $ace = $acl->Next ) {
print $ace->ObjectType;
......
......@@ -8,7 +8,7 @@
my $groupid = $groups->First->Id;
my $adminccs = RT::Users->new($RT::SystemUser);
$adminccs->WhoHaveRight(Right => 'AdminGroup' ObjectType =>'Group', IncludeSystemRights => undef, IncludeSuperusers => 0, IncludeSubgroupMembers => 0, ObjectId => $groupid);
$adminccs->WhoHaveRight(Right => 'AdminGroup', IncludeSystemRights => undef, IncludeSuperusers => 0, IncludeSubgroupMembers => 0, Object => $groups->First);
my @admins;
while (my $admin = $adminccs->Next) {
......
......@@ -70,27 +70,26 @@
my $ACE = new RT::ACE($session{'CurrentUser'});
$ACLObj->LimitToObject( Id => $ObjectId, Type => $ObjectType);
$ACLObj->LimitToObject( $Object);
$ACLObj->LimitToPrincipal( Id => $PrincipalId);
if ($ObjectType eq 'Group') {
if (ref($Object) eq 'RT::Group') {
%Rights = $ACE->GroupRights();
}
elsif ($ObjectType eq 'Queue') {
elsif (ref($Object) eq 'RT::Queue') {
%Rights = $ACE->QueueRights();
}
elsif ($ObjectType eq 'System') {
elsif (ref($Object) eq 'RT::System') {
%Rights = ( $ACE->SystemRights , $ACE->QueueRights(),$ACE->GroupRights());
}
$ACLDesc = "$PrincipalId-$ObjectType-$ObjectId";
$ACLDesc = "$PrincipalId-".ref($Object)."-".$Object->Id;
</%INIT>
<%ARGS>
$PrincipalType => undef
$PrincipalId => undef
$ObjectId => 0
$ObjectType => undef
$Object =>undef
</%ARGS>
......@@ -41,7 +41,7 @@
</TD>
<TD>
<& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
ObjectType => 'System' &>
Object =>$RT::System &>
</TD>
</TR>
% }
......@@ -57,7 +57,7 @@
</TD>
<TD>
<& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
ObjectType => 'System'&>
Object => $RT::System &>
</TD>
</TR>
% }
......@@ -73,7 +73,7 @@
</TD>
<TD>
<& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
ObjectType => 'System' &>
Object => $RT::System &>
</TD>
</TR>
% }
......
......@@ -42,8 +42,7 @@
</TD>
<TD>
<& /Admin/Elements/SelectRights, PrincipalId => $group->PrincipalId,
ObjectType => 'System',
ObjectId => '0' &>
Object => $RT::System &>
</TD>
</TR>
% }
......
......@@ -43,8 +43,7 @@
<TD>
<& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
PrincipalType => 'Group',
ObjectType => 'Group',
ObjectId => $GroupObj->Id &>
Object => $GroupObj &>
</TD>
</TR>
% }
......@@ -61,8 +60,7 @@
<TD>
<& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
PrincipalType => 'Group',
ObjectType => 'Group',
ObjectId => $GroupObj->Id &>
Object => $GroupObj &>
</TD>
</TR>
% }
......
......@@ -42,8 +42,7 @@
<TD>
<& /Admin/Elements/SelectRights, PrincipalId => $Member->MemberObj->Id,
PrincipalType => 'User',
ObjectType => 'Group',
ObjectId => $GroupObj->Id &>
Object => $GroupObj &>
</TD>
</TR>
% }
......
......@@ -42,8 +42,7 @@
</TD>
<TD>
<& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
ObjectType => 'Queue',
ObjectId => $QueueObj->Id &>
Object => $QueueObj &>
</TD>
</TR>
% }
......@@ -59,8 +58,7 @@
</TD>
<TD>
<& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
ObjectType => 'Queue',
ObjectId => $QueueObj->Id &>
Object => $QueueObj &>
</TD>
</TR>
% }
......@@ -76,8 +74,7 @@
</TD>
<TD>
<& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
ObjectType => 'Queue',
ObjectId => $QueueObj->Id &>
Object => $QueueObj &>
</TD>
</TR>
% }
......
......@@ -43,8 +43,7 @@
</TD>
<TD>
<& /Admin/Elements/SelectRights, PrincipalId=> $group->PrincipalId,
ObjectType => 'Queue',
ObjectId => $QueueObj->Id &>
Object => $QueueObj &>
</TD>
</TR>
% }
......
......@@ -28,7 +28,7 @@
<& /Elements/TitleBoxStart, title => loc("Select a queue") &>
% if ($session{'CurrentUser'}->HasSystemRight('AdminQueue')) {
% if ($session{'CurrentUser'}->HasRight( Object => $RT::System, Right => 'AdminQueue')) {
<P><A HREF="<%$RT::WebPath%>/Admin/Queues/Modify.html?Create=1"><&|/l&>Create a new queue</&></A><BR><BR></P>
% }
......
......@@ -28,7 +28,7 @@
<& /Elements/TitleBoxStart, title => loc('Select a user') &>
% if ($session{'CurrentUser'}->HasSystemRight('AdminUsers')) {
% if ($session{'CurrentUser'}->HasRight( Object => $RT::System, Right => 'AdminUsers')) {
<P><A HREF="<%$RT::WebPath%>/Admin/Users/Modify.html?Create=1"><&|/l&>Create a new user</&></A></P>
% }
......
......@@ -22,11 +22,13 @@
#
#
# END LICENSE BLOCK
package RT;
use RT::CurrentUser;
use strict;
use RT::CurrentUser;
use RT::System;
use vars qw($VERSION $SystemUser $Nobody $Handle $Logger);
use vars qw($VERSION $System $SystemUser $Nobody $Handle $Logger);
$VERSION = '!!RT_VERSION!!';
......@@ -77,7 +79,9 @@ sub Init {
#RT's "nobody user" is a genuine database user. its ID lives here.
$Nobody = new RT::CurrentUser();
$Nobody->LoadByName('Nobody');
$System = RT::System->new();
InitLogging();
}
......
This diff is collapsed.
......@@ -59,20 +59,20 @@ Hand out the next ACE that was found
# {{{ LimitToObject
=head2 LimitToObject { Type => undef, Id => undef }
=head2 LimitToObject $object
Limit the ACL to the Object with ObjectId Id and ObjectType Type
Limit the ACL to rights for the object $object. It needs to be an RT::Record class.
=cut
sub LimitToObject {
my $self = shift;
my %args = ( Type => undef,
Id => undef,
@_);
$self->Limit(FIELD => 'ObjectType', OPERATOR=> '=', VALUE => $args{'Type'}, ENTRYAGGREGATOR => 'OR');
$self->Limit(FIELD => 'ObjectId', OPERATOR=> '=', VALUE => $args{'Id'}, ENTRYAGGREGATOR => 'OR');
my $obj = shift;
unless (defined($obj) && ref($obj) && UNIVERSAL::can($obj, 'id')) {
return undef;
}
$self->Limit(FIELD => 'ObjectType', OPERATOR=> '=', VALUE => ref($obj), ENTRYAGGREGATOR => 'OR');
$self->Limit(FIELD => 'ObjectId', OPERATOR=> '=', VALUE => $obj->id, ENTRYAGGREGATOR => 'OR');
}
......@@ -208,26 +208,31 @@ sub DelegatedFrom {
# {{{ sub Next
sub Next {
my $self = shift;
my $ACE = $self->SUPER::Next();
if ((defined($ACE)) and (ref($ACE))) {
if ( $ACE->CurrentUserHasRight('ShowACL') or
$ACE->CurrentUserHasRight('ModifyACL')
) {
return($ACE);
}
#If the user doesn't have the right to show this ACE
else {
return($self->Next());
}
if ( ( defined($ACE) ) and ( ref($ACE) ) ) {
if ( $self->CurrentUser->HasRight( Right => 'ShowACL',
Object => $ACE->Object )
or $self->CurrentUser->HasRight( Right => 'ModifyACL',
Object => $ACE->Object )
) {
return ($ACE);
}
#If the user doesn't have the right to show this ACE
else {
use Carp;
$RT::Logger->debug(Carp::cluck);
return ( $self->Next() );
}
}
#if there never was any ACE
else {
return(undef);
}
return (undef);
}
}
# }}}
......
......@@ -113,11 +113,10 @@ A convoluted example
my $adminccs = RT::Users->new($RT::SystemUser);
$adminccs->WhoHaveRight(
Right => "AdminGroup",
ObjectType =>"Group",
Object =>$groups->First,
IncludeSystemRights => undef,
IncludeSuperusers => 0,
IncludeSubgroupMembers => 0,
ObjectId => $groupid,
);
my @admins;
......@@ -229,7 +228,7 @@ my $approvals =
my $groupid = $groups->First->Id;
my $adminccs = RT::Users->new($RT::SystemUser);
$adminccs->WhoHaveRight(Right => "AdminGroup" ObjectType =>"Group", IncludeSystemRights => undef, IncludeSuperusers => 0, IncludeSubgroupMembers => 0, ObjectId => $groupid);
$adminccs->WhoHaveRight(Right => "AdminGroup", IncludeSystemRights => undef, IncludeSuperusers => 0, IncludeSubgroupMembers => 0, Object => $groups->First);
my @admins;
while (my $admin = $adminccs->Next) {
......
......@@ -149,16 +149,14 @@ mysql supported foreign keys with cascading deletes.
sub Delete {
my $self = shift;
my $err = $self->SUPER::Delete();
unless ($err) {
$RT::Logger->error( "Couldn't delete CachedGroupMember " . $self->Id );
return (undef);
}
my $member = $self->MemberObj();
if ( $member->IsGroup ) {
my $deletable = RT::CachedGroupMembers->new( $self->CurrentUser );
$deletable->Limit( FIELD => 'id',
OPERATOR => '!=',
VALUE => $self->id );
$deletable->Limit( FIELD => 'Via',
OPERATOR => '=',
VALUE => $self->id );
......@@ -172,14 +170,22 @@ sub Delete {
}
}
}
my $err = $self->SUPER::Delete();
unless ($err) {
$RT::Logger->error( "Couldn't delete CachedGroupMember " . $self->Id );
return (undef);
}
# Unless $self->GroupObj still has the member recursively $self->MemberObj
# (Since we deleted the database row above, $self no longer counts)
unless ( $self->GroupObj->Object->HasMemberRecursively( $self->MemberObj ) ) {
# Find all ACEs granted to $self->GroupId
my $acl = RT::ACL->new($RT::SystemUser);
$acl->LimitToPrincipal( Id => $self->GroupId );
while ( my $this_ace = $acl->Next() ) {
# Find all ACEs which $self-MemberObj has delegated from $this_ace
my $delegations = RT::ACL->new($RT::SystemUser);
......
......@@ -287,44 +287,9 @@ sub Privileged {
# {{{ Convenient ACL methods
=head2 HasGroupRight
calls $self->UserObj->HasGroupRight with the arguments passed in
=cut
sub HasGroupRight {
my $self = shift;
return ($self->UserObj->HasGroupRight(@_));
}
=head2 HasQueueRight
calls $self->UserObj->HasQueueRight with the arguments passed in
=cut
sub HasQueueRight {
my $self = shift;
return ($self->UserObj->HasQueueRight(@_));
}
=head2 HasSystemRight
calls $self->UserObj->HasSystemRight with the arguments passed in
=cut
sub HasSystemRight {
my $self = shift;
return ($self->UserObj->HasSystemRight(@_));
}
# }}}
# {{{ sub HasRight
=head2 HasSystemRight
=head2 HasRight
calls $self->UserObj->HasRight with the arguments passed in
......
......@@ -412,7 +412,7 @@ sub _Set {
if ( ( defined $self->SUPER::_Value('Queue') )
&& ( $self->SUPER::_Value('Queue') == 0 ) )
{
unless ( $self->CurrentUser->HasSystemRight('AdminCustomFields') ) {
unless ( $self->CurrentUser->HasRight( Object => $RT::System, Right => 'AdminCustomFields') ) {
return ( 0, $self->loc('Permission Denied') );
}
}
......@@ -451,7 +451,7 @@ sub _Value {
if ( ( !defined $self->__Value('Queue') )
|| ( $self->__Value('Queue') == 0 ) )
{
unless ( $self->CurrentUser->HasSystemRight('SeeQueue') ) {
unless ( $self->CurrentUser->HasRight( Object => $RT::System, Right => 'SeeQueue') ) {
return (undef);
}
}
......
......@@ -291,7 +291,6 @@ sub Delete {
while ( my $item_to_del = $cached_submembers->Next() ) {
#$RT::Logger->debug("About to delete a submember ".$item_to_del->MemberId);
my $del_err = $item_to_del->Delete();
unless ($del_err) {
$RT::Handle->Rollback();
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment