Commit 8da05c4a authored by Shawn M Moore's avatar Shawn M Moore
Browse files

Generalize ModifyPerlTemplate to ExecutePerl

    This new right is system-wide as opposed to queue-specific, which
    was kind of pointless. Simplifies some code and is useful for other
    places like user-defined conditions and actions (not yet
    ACL-checked against ExecutePerl)
parent 20546138
......@@ -25,7 +25,7 @@
},
sub {
use strict;
$RT::Logger->debug('Adding ModifyPerlTemplate right to principals that currently have ModifyTemplate');
$RT::Logger->debug('Adding ExecutePerl right to principals that currently have ModifyTemplate');
my $acl = RT::ACL->new($RT::SystemUser);
$acl->Limit(
......@@ -35,16 +35,15 @@
);
while (my $ace = $acl->Next) {
my $object = $ace->Object;
my $principal = $ace->PrincipalObj;
my ($ok, $msg) = $principal->GrantRight(
Right => 'ModifyPerlTemplate',
Object => $object,
Right => 'ExecutePerl',
Object => $RT::SystemUser,
);
if (!$ok) {
$RT::Logger->warn("Unable to grant ModifyPerlTemplate on principal " . $principal->id . ": $msg");
$RT::Logger->warn("Unable to grant ExecutePerl on principal " . $principal->id . ": $msg");
}
}
},
......
......@@ -94,7 +94,6 @@ our $RIGHTS = {
AssignCustomFields => 'Assign and remove custom fields', # loc_pair
ModifyTemplate => 'Modify Scrip templates for this queue', # loc_pair
ShowTemplate => 'Display Scrip templates for this queue', # loc_pair
ModifyPerlTemplate => 'Modify templates with unlimited code execution', # loc_pair
ModifyScrips => 'Modify Scrips for this queue', # loc_pair
ShowScrips => 'Display Scrips for this queue', # loc_pair
......
......@@ -89,6 +89,7 @@ our $RIGHTS = {
ShowApprovalsTab => "show Approvals tab", # loc_pair
LoadSavedSearch => "allow loading of saved searches", # loc_pair
CreateSavedSearch => "allow creation of saved searches", # loc_pair
ExecutePerl => "allow writing Perl code in templates, scrips, etc", # loc_pair
};
# Tell RT::ACE that this sort of object can get acls granted
......
......@@ -211,13 +211,14 @@ sub Create {
@_
);
if ( $args{Type} eq 'Perl' && !$self->CurrentUser->HasRight(Right => 'ExecutePerl', Object => $RT::System) ) {
return ( undef, $self->loc('Permission Denied') );
}
unless ( $args{'Queue'} ) {
unless ( $self->CurrentUser->HasRight(Right =>'ModifyTemplate', Object => $RT::System) ) {
return ( undef, $self->loc('Permission Denied') );
}
if ( $args{Type} eq 'Perl' && !$self->CurrentUser->HasRight(Right => 'ModifyPerlTemplate', Object => $RT::System) ) {
return ( undef, $self->loc('Permission Denied') );
}
$args{'Queue'} = 0;
}
else {
......@@ -227,9 +228,6 @@ sub Create {
unless ( $QueueObj->CurrentUserHasRight('ModifyTemplate') ) {
return ( undef, $self->loc('Permission Denied') );
}
if ( $args{Type} eq 'Perl' && !$QueueObj->CurrentUserHasRight('ModifyPerlTemplate') ) {
return ( undef, $self->loc('Permission Denied') );
}
$args{'Queue'} = $QueueObj->Id;
}
......@@ -597,7 +595,7 @@ sub CurrentUserHasQueueRight {
=head2 SetType
If setting Type to Perl, require the ModifyPerlTemplate right on the queue.
If setting Type to Perl, require the ExecutePerl right.
=cut
......@@ -605,36 +603,13 @@ sub SetType {
my $self = shift;
my $NewType = shift;
if ($NewType eq 'Perl' && !$self->CurrentUserHasQueueRight('ModifyPerlTemplate')) {
if ($NewType eq 'Perl' && !$self->CurrentUser->HasRight(Right => 'ExecutePerl', Object => $RT::System)) {
return ( undef, $self->loc('Permission Denied') );
}
return $self->_Set( Field => 'Type', Value => $NewType );
}
=head2 SetQueue
When changing the queue, make sure the current user has ModifyPerlTemplate on the
new queue if the type is Perl.
Templates can't change Queue in the UI (yet?).
=cut
sub SetQueue {
my $self = shift;
my $NewQueue = shift;
my $NewQueueObj = RT::Queue->new( $self->CurrentUser );
$NewQueueObj->Load($NewQueue);
if ( $self->Type eq 'Perl' && !$NewQueueObj->CurrentUserHasRight('ModifyPerlTemplate') ) {
return ( undef, $self->loc('Permission Denied. You do not have ModifyPerlTemplate on the new queue.') );
}
return $self->_Set( Field => 'Queue', Value => $NewQueueObj->id );
}
=head2 CompileCheck
If the template's Type is Perl, then compile check all the codeblocks to see if
......
......@@ -47,17 +47,17 @@ $m->submit;
$m->title_is(q{Modify template Resolved}, 'modifying the Resolved template');
$m->form_name('ModifyTemplate');
is($m->value('Type'), 'Simple', 'need the ModifyPerlTemplate right to update Type to Perl');
is($m->value('Type'), 'Simple', 'need the ExecutePerl right to update Type to Perl');
$m->content_contains('Permission Denied');
ok( RT::Test->add_rights(
{ Principal => $user_a, Right => [qw(ModifyPerlTemplate)] },
), 'add ModifyPerlTemplate rights');
{ Principal => $user_a, Right => [qw(ExecutePerl)] },
), 'add ExecutePerl rights');
$m->field(Type => 'Perl');
$m->submit;
$m->title_is(q{Modify template Resolved}, 'modifying the Resolved template');
$m->form_name('ModifyTemplate');
is($m->value('Type'), 'Perl', 'now that we have ModifyPerlTemplate we can update Type to Perl');
is($m->value('Type'), 'Perl', 'now that we have ExecutePerl we can update Type to Perl');
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment