1. 07 Jan, 2013 1 commit
  2. 21 Nov, 2012 2 commits
  3. 05 Nov, 2012 1 commit
  4. 04 Apr, 2012 1 commit
    • Alex Vandiver's avatar
      Ensure that all joins through CachedGroupMembers limits to non-disabled rows · fbef48d9
      Alex Vandiver authored
      When a group becomes disabled in RT, we mark all CGM rows that existed
      because of that group as 'Disabled'.  Unfortunately, many joins through
      CGM neglected to take the Disabled column into account, leading to users
      possibly having rights that they should not, due to having them by way
      of a disabled group.
      
      This addresses CVE-2011-4459.
      fbef48d9
  5. 03 Jan, 2012 1 commit
  6. 20 Jul, 2011 1 commit
  7. 18 Jul, 2011 1 commit
  8. 14 Jul, 2011 2 commits
    • Alex Vandiver's avatar
      Rewrite ForWhichCurrentUserHasRight, and add more tests · 9b4f9541
      Alex Vandiver authored
      The previous implementation didn't depend in any way on what object the
      right was granted on, merely the membership of the group, and what
      groups that group was in.  The correct implementation examines the
      ObjectType and ObjectId parameters of the ACL table.  Specifically, it
      returns groups which are the target of ACLs, which were granted by a
      group, which the current user is a member of.  That is, groups which the
      current user has a particular right on, as the name of the method
      implies.
      
      t/api/group-rights.t has been refactored to be more concise, and cover
      all possibilities of where the ACL can be granted, and to what.
      ForWhichCurrentUserHasRight now agrees with CurrentUserHasRight for all
      cases.
      9b4f9541
    • Alex Vandiver's avatar
      Fix the join direction on ForWhichCurrentUserHasRight · 86a78900
      Alex Vandiver authored
      Previously, you only saw the group if your _direct_ membership in it was
      what granted the right.  However, what we actually care about is if:
       (a) You are a member of the group, by any means.
      AND
       (b) The group grants you the right; that is, if it is a member of any
           group which has that right granted to it.
      86a78900
  9. 03 Mar, 2011 1 commit
  10. 15 Feb, 2011 3 commits
  11. 28 Dec, 2010 4 commits
  12. 07 Dec, 2010 1 commit
  13. 06 Dec, 2010 2 commits
  14. 19 Sep, 2010 2 commits
  15. 17 Sep, 2010 1 commit
  16. 17 Aug, 2010 1 commit
  17. 29 Jul, 2010 2 commits
  18. 17 Feb, 2010 1 commit
  19. 16 Feb, 2010 1 commit
  20. 30 Sep, 2009 1 commit
  21. 06 Jan, 2009 2 commits
  22. 09 Jun, 2008 1 commit
  23. 24 Apr, 2008 1 commit
  24. 11 Apr, 2008 2 commits
  25. 28 Feb, 2008 1 commit
  26. 13 Jan, 2008 1 commit
  27. 12 Dec, 2007 1 commit
  28. 07 Aug, 2007 1 commit