[Rt-commit] rt branch, 3.8-trunk, updated. rt-3.8.8-201-g89e6992

Emannuel Lacour elacour at bestpractical.com
Mon Nov 29 05:53:28 EST 2010 

The branch, 3.8-trunk has been updated
       via  89e6992cb066333b6485cb3645e668bc20b72946 (commit)
      from  a13aa111b176f8cf5562e5d92f3570188af1794e (commit)

Summary of changes:
 lib/RT/CustomFieldValue_Overlay.pm |   19 +++++++++++++
 t/api/cf_rights.t                  |   51 ++++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+), 0 deletions(-)
 create mode 100644 t/api/cf_rights.t

- Log -----------------------------------------------------------------
commit 89e6992cb066333b6485cb3645e668bc20b72946
Author: Emmanuel Lacour <elacour at home-dn.net>
Date:   Mon Nov 29 11:49:48 2010 +0100

    Fix permission issue that allows everyone with SeeCustomField right to modify the existing customfield values (closes: #16089)

diff --git a/lib/RT/CustomFieldValue_Overlay.pm b/lib/RT/CustomFieldValue_Overlay.pm
index 535fc57..2f5e8e2 100644
--- a/lib/RT/CustomFieldValue_Overlay.pm
+++ b/lib/RT/CustomFieldValue_Overlay.pm
@@ -173,4 +173,23 @@ sub Delete {
     return $self->SUPER::Delete(@_);
 }
 
+sub _Set { 
+    my $self = shift; 
+
+    my $cf_id = $self->CustomField; 
+
+    my $cf = RT::CustomField->new( $self->CurrentUser ); 
+    $cf->Load( $cf_id ); 
+
+    unless ( $cf->id ) { 
+        return (0, $self->loc("Couldn't load Custom Field #[_1]", $cf_id)); 
+    } 
+
+    unless ($cf->CurrentUserHasRight('AdminCustomField') || $cf->CurrentUserHasRight('AdminCustomFieldValues')) { 
+        return (0, $self->loc('Permission Denied')); 
+    } 
+
+    return $self->SUPER::_Set( @_ ); 
+} 
+
 1;
diff --git a/t/api/cf_rights.t b/t/api/cf_rights.t
new file mode 100644
index 0000000..f55214a
--- /dev/null
+++ b/t/api/cf_rights.t
@@ -0,0 +1,51 @@
+#!/usr/bin/perl
+use warnings;
+use strict;
+
+use RT;
+use RT::Test tests => 12;
+
+my $q = RT::Queue->new($RT::SystemUser);
+my ($id,$msg) =$q->Create(Name => "CF-Rights-".$$);
+ok($id,$msg);
+
+my $cf = RT::CustomField->new($RT::SystemUser);
+($id,$msg) = $cf->Create(Name => 'CF-'.$$, Type => 'Select', MaxValues => '1', Queue => $q->id);
+ok($id,$msg);
+
+
+($id,$msg) =$cf->AddValue(Name => 'First');
+ok($id,$msg);
+
+my $u = RT::User->new($RT::SystemUser);
+($id,$msg) = $u->Create( Name => 'User1', Privileged => 1 );
+ok ($id,$msg);
+
+($id,$msg) = $u->PrincipalObj->GrantRight( Object => $cf, Right => 'SeeCustomField' );
+ok ($id,$msg);
+
+my $ucf = RT::CustomField->new($u);
+($id,$msg) = $ucf->Load( $cf->Id );
+ok ($id,$msg);
+
+my $cfv = $ucf->Values->First;
+
+($id,$msg) = $cfv->SetName( 'First1' );
+ok (!$id,$msg);
+
+($id,$msg) = $u->PrincipalObj->GrantRight( Object => $cf, Right => 'AdminCustomFieldValues' );
+ok ($id,$msg);
+
+($id,$msg) = $cfv->SetName( 'First2' );
+ok ($id,$msg);
+
+($id,$msg) = $u->PrincipalObj->RevokeRight( Object => $cf, Right => 'AdminCustomFieldValues' );
+ok ($id,$msg);
+
+($id,$msg) = $u->PrincipalObj->GrantRight( Object => $cf, Right => 'AdminCustomField' );
+ok ($id,$msg);
+
+($id,$msg) = $cfv->SetName( 'First3' );
+ok ($id,$msg);
+
+1;

-----------------------------------------------------------------------

More information about the Rt-commit mailing list