[Rt-commit] rt branch, 3.9-trunk, updated. rt-3.9.4-539-ge0e200b

Alex Vandiver alexmv at bestpractical.com
Fri Nov 19 16:19:35 EST 2010 

The branch, 3.9-trunk has been updated
       via  e0e200b0b2a7755f0e7dbecc38c918f251c710d4 (commit)
      from  f8a3c1dc97dfd7045870e057773f99381a8ce828 (commit)

Summary of changes:
 lib/RT/Principal_Overlay.pm |    9 +++++++++
 lib/RT/System.pm            |    1 +
 2 files changed, 10 insertions(+), 0 deletions(-)

- Log -----------------------------------------------------------------
commit e0e200b0b2a7755f0e7dbecc38c918f251c710d4
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Wed Oct 27 16:31:21 2010 -0400

    Add a flag to disallow anyone, including the superuser, from executing code

diff --git a/lib/RT/Principal_Overlay.pm b/lib/RT/Principal_Overlay.pm
index c3998ec..477662d 100755
--- a/lib/RT/Principal_Overlay.pm
+++ b/lib/RT/Principal_Overlay.pm
@@ -150,6 +150,9 @@ sub GrantRight {
         @_
     );
 
+    return (0, "Permission denied") if $args{'Right'} eq 'ExecuteCode'
+        and RT->Config->Get('DisallowExecuteCode');
+
     #ACL check handled in ACE.pm
     my $ace = RT::ACE->new( $self->CurrentUser );
 
@@ -262,6 +265,9 @@ sub HasRight {
         return undef;
     }
 
+    return undef if $args{'Right'} eq 'ExecuteCode'
+        and RT->Config->Get('DisallowExecuteCode');
+
     $args{'EquivObjects'} = [ @{ $args{'EquivObjects'} } ]
         if $args{'EquivObjects'};
 
@@ -472,6 +478,9 @@ sub RolesWithRight {
                  @_
                );
 
+    return () if $args{'Right'} eq 'ExecuteCode'
+        and RT->Config->Get('DisallowExecuteCode');
+
     my $query = "SELECT DISTINCT PrincipalType FROM ACL"
 
         # Only find superuser or rights with the requested right
diff --git a/lib/RT/System.pm b/lib/RT/System.pm
index 6a2cb57..cc76c86 100755
--- a/lib/RT/System.pm
+++ b/lib/RT/System.pm
@@ -134,6 +134,7 @@ sub AvailableRights {
 
     # Build a merged list of all system wide rights, queue rights and group rights.
     my %rights = (%{$RIGHTS}, %{$gr}, %{$qr}, %{$cr});
+    delete $rights{ExecuteCode} if RT->Config->Get('DisallowExecuteCode');
 
     return(\%rights);
 }

-----------------------------------------------------------------------

More information about the Rt-commit mailing list