[Rt-commit] r15744 - in rt/branches/3.999-DANGEROUS: lib/RT/Model

ruz at bestpractical.com ruz at bestpractical.com
Wed Sep 3 20:26:34 EDT 2008


Author: ruz
Date: Wed Sep  3 20:26:31 2008
New Revision: 15744

Modified:
   rt/branches/3.999-DANGEROUS/TODO.schema_upgrade_script
   rt/branches/3.999-DANGEROUS/lib/RT/Model/ACE.pm
   rt/branches/3.999-DANGEROUS/lib/RT/Model/User.pm

Log:
* add delegations column that references a collection
  of ACEs delegeted from this ACE
* fix delete inhertance


Modified: rt/branches/3.999-DANGEROUS/TODO.schema_upgrade_script
==============================================================================
--- rt/branches/3.999-DANGEROUS/TODO.schema_upgrade_script	(original)
+++ rt/branches/3.999-DANGEROUS/TODO.schema_upgrade_script	Wed Sep  3 20:26:31 2008
@@ -10,3 +10,5 @@
 
 Users.EmailAddress -> Users.email 
 Users.email_confirmed is new
+
+zeroes in ACL.delegate_by and ACL.delegate_from should be replaced with NULLs

Modified: rt/branches/3.999-DANGEROUS/lib/RT/Model/ACE.pm
==============================================================================
--- rt/branches/3.999-DANGEROUS/lib/RT/Model/ACE.pm	(original)
+++ rt/branches/3.999-DANGEROUS/lib/RT/Model/ACE.pm	Wed Sep  3 20:26:31 2008
@@ -86,6 +86,7 @@
     column object_id => type is 'int', default is '0';
     column delegated_by   => references RT::Model::Principal;
     column delegated_from => references RT::Model::ACE;
+    column delegations => references RT::Model::ACECollection by 'delegated_from';
 };
 
 use vars qw (
@@ -322,7 +323,7 @@
     RT::Model::Principal->invalidate_acl_cache();
 
     if ($id) {
-        return ( $id, _('right Granted') );
+        return ( $id, _('Right granted') );
     } else {
         return ( 0, _('System error. Right not granted.') );
     }
@@ -433,89 +434,63 @@
 =head2 delete
 
 Delete this object. This method should ONLY ever be called from RT::Model::User or RT::Model::Group (or from itself)
-If this is being called from within a transaction, specify a true value for the parameter inside_transaction.
-Really, Jifty::DBI should use and/or fake subtransactions
 
 This routine will also recurse and delete any delegations of this right
 
 =cut
 
-sub delete {
+sub check_delete_rights {
     my $self = shift;
 
-    unless ( $self->id ) {
-        return ( 0, _('Right not loaded.') );
-    }
-
-    # A user can delete an ACE if the current user has the right to modify it and it's not a delegated ACE
-    # or if it's a delegated ACE and it was delegated by the current user
-    unless (
-        (   $self->current_user->has_right(
-                right  => 'ModifyACL',
-                object => $self->object
-            )
-            && $self->__value('delegated_by') == 0
-        )
-        || ( $self->__value('delegated_by') == $self->current_user->id )
-        )
-    {
-        return ( 0, _('Permission Denied') );
-    }
-    $self->_delete(@_);
+    # if it's a delegated ACE then delegator can delete it
+    my $delegated = $self->delegated_by;
+    return 1 if $delegated && ($delegated->id||0) == $self->current_user->id;
+    return $self->current_user->has_right(
+        right  => 'ModifyACL',
+        object => $self->object,
+    );
+    return 1;
 }
 
 # Helper for Delete with no ACL check
-sub _delete {
+sub _delete { return (shift)->__delete( @_ ) }
+sub __delete {
     my $self = shift;
-    my %args = (
-        @_
-    );
 
     my $inside_transaction = Jifty->handle->transaction_depth;
-    Jifty->handle->begin_transaction() unless $inside_transaction;
-
-    my $delegated_from_this = RT::Model::ACECollection->new( current_user => RT->system_user );
-    $delegated_from_this->limit(
-        column   => 'delegated_from',
-        operator => '=',
-        value    => $self->id
-    );
+    Jifty->handle->begin_transaction unless $inside_transaction;
 
-    my $delete_succeeded = 1;
-    my $submsg;
+    my $delegated_from_this = $self->delegations;
     while ( my $delegated_ace = $delegated_from_this->next ) {
-        ( $delete_succeeded, $submsg ) = $delegated_ace->_delete;
-        last unless ($delete_succeeded);
+        my ($status, $msg) = $delegated_ace->__delete;
+        unless ( $status ) {
+            Jifty->handle->rollback() unless $inside_transaction;
+            return ( 0, _('Right could not be revoked') );
+        }
     }
 
-    unless ($delete_succeeded) {
-        Jifty->handle->rollback() unless $inside_transaction;
+    my ($status, $msg) = $self->SUPER::__delete(@_);
+    unless ( $status ) {
+        Jifty->handle->rollback unless $inside_transaction;
         return ( 0, _('Right could not be revoked') );
     }
 
-    my ( $val, $msg ) = $self->SUPER::delete(@_);
-
     # If we're revoking delegation rights (see above), we may need to
     # revoke all rights delegated by the recipient.
-    if ($val
-        and (  $self->right_name() eq 'DelegateRights'
-            or $self->right_name() eq 'SuperUser' )
-        )
-    {
-        $val = $self->principal_object->_cleanup_invalid_delegations;
-    }
-
-    if ($val) {
-
-        #Clear the key cache. TODO someday we may want to just clear a little bit of the keycache space.
-        # TODO what about the groups key cache?
-        RT::Model::Principal->invalidate_acl_cache();
-        Jifty->handle->commit() unless $inside_transaction;
-        return ( $val, _('Right revoked') );
+    my $right = $self->__value('right_name');
+    if ( $right eq 'DelegateRights' || $right eq 'SuperUser' ) {
+        my ($status) = $self->principal_object->_cleanup_invalid_delegations;
+        unless ( $status ) {
+            Jifty->handle->rollback unless $inside_transaction;
+            return ( 0, _('Right could not be revoked') );
+        }
     }
 
-    Jifty->handle->rollback() unless $inside_transaction;
-    return ( 0, _('Right could not be revoked') );
+    # Clear the key cache. TODO someday we may want to just clear a little bit of the keycache space.
+    # TODO what about the groups key cache?
+    RT::Model::Principal->invalidate_acl_cache();
+    Jifty->handle->commit unless $inside_transaction;
+    return ( 1, _('Right revoked') );
 }
 
 
@@ -628,7 +603,7 @@
 
 sub _set {
     my $self = shift;
-    return ( 0, _("ACEs can only be Created and deleted.") );
+    return ( 0, _("ACEs can only be created and deleted.") );
 }
 
 

Modified: rt/branches/3.999-DANGEROUS/lib/RT/Model/User.pm
==============================================================================
--- rt/branches/3.999-DANGEROUS/lib/RT/Model/User.pm	(original)
+++ rt/branches/3.999-DANGEROUS/lib/RT/Model/User.pm	Wed Sep  3 20:26:31 2008
@@ -1387,4 +1387,3 @@
 }
 
 1;
-


More information about the Rt-commit mailing list