Skip to content
GitLab
Switch branch/tag
  1. 07 Jan, 2013 1 commit
  3. 21 Nov, 2012 2 commits
  5. 05 Nov, 2012 1 commit
  7. 04 Apr, 2012 1 commit
    • Alex Vandiver's avatar
      Ensure that all joins through CachedGroupMembers limits to non-disabled rows · fbef48d9
      Alex Vandiver authored 
      When a group becomes disabled in RT, we mark all CGM rows that existed
because of that group as 'Disabled'.  Unfortunately, many joins through
CGM neglected to take the Disabled column into account, leading to users
possibly having rights that they should not, due to having them by way
of a disabled group.

This addresses CVE-2011-4459.
      fbef48d9
  9. 03 Jan, 2012 1 commit
  11. 20 Jul, 2011 1 commit
  13. 18 Jul, 2011 1 commit
  15. 14 Jul, 2011 2 commits
    • Alex Vandiver's avatar
      Rewrite ForWhichCurrentUserHasRight, and add more tests · 9b4f9541
      Alex Vandiver authored 
      The previous implementation didn't depend in any way on what object the
right was granted on, merely the membership of the group, and what
groups that group was in.  The correct implementation examines the
ObjectType and ObjectId parameters of the ACL table.  Specifically, it
returns groups which are the target of ACLs, which were granted by a
group, which the current user is a member of.  That is, groups which the
current user has a particular right on, as the name of the method
implies.

t/api/group-rights.t has been refactored to be more concise, and cover
all possibilities of where the ACL can be granted, and to what.
ForWhichCurrentUserHasRight now agrees with CurrentUserHasRight for all
cases.
      9b4f9541
    • Alex Vandiver's avatar
      Fix the join direction on ForWhichCurrentUserHasRight · 86a78900
      Alex Vandiver authored 
      Previously, you only saw the group if your _direct_ membership in it was
what granted the right.  However, what we actually care about is if:
 (a) You are a member of the group, by any means.
AND
 (b) The group grants you the right; that is, if it is a member of any
     group which has that right granted to it.
      86a78900
  17. 03 Mar, 2011 1 commit
  19. 15 Feb, 2011 3 commits
  21. 28 Dec, 2010 4 commits
  23. 07 Dec, 2010 1 commit
  25. 06 Dec, 2010 2 commits
  27. 19 Sep, 2010 2 commits
  29. 17 Sep, 2010 1 commit
  31. 17 Aug, 2010 1 commit
  33. 29 Jul, 2010 2 commits
  35. 17 Feb, 2010 1 commit
  37. 16 Feb, 2010 1 commit
  39. 30 Sep, 2009 1 commit
  41. 06 Jan, 2009 2 commits
  43. 09 Jun, 2008 1 commit
  45. 24 Apr, 2008 1 commit
  47. 11 Apr, 2008 2 commits
  49. 28 Feb, 2008 1 commit
  51. 13 Jan, 2008 1 commit
  53. 12 Dec, 2007 1 commit
  55. 07 Aug, 2007 1 commit