[Rt-commit] rt branch, 3.8-trunk, updated. rt-3.8.8-201-g89e6992
Emannuel Lacour
elacour at bestpractical.com
Mon Nov 29 05:53:28 EST 2010
The branch, 3.8-trunk has been updated
via 89e6992cb066333b6485cb3645e668bc20b72946 (commit)
from a13aa111b176f8cf5562e5d92f3570188af1794e (commit)
Summary of changes:
lib/RT/CustomFieldValue_Overlay.pm | 19 +++++++++++++
t/api/cf_rights.t | 51 ++++++++++++++++++++++++++++++++++++
2 files changed, 70 insertions(+), 0 deletions(-)
create mode 100644 t/api/cf_rights.t
- Log -----------------------------------------------------------------
commit 89e6992cb066333b6485cb3645e668bc20b72946
Author: Emmanuel Lacour <elacour at home-dn.net>
Date: Mon Nov 29 11:49:48 2010 +0100
Fix permission issue that allows everyone with SeeCustomField right to modify the existing customfield values (closes: #16089)
diff --git a/lib/RT/CustomFieldValue_Overlay.pm b/lib/RT/CustomFieldValue_Overlay.pm
index 535fc57..2f5e8e2 100644
--- a/lib/RT/CustomFieldValue_Overlay.pm
+++ b/lib/RT/CustomFieldValue_Overlay.pm
@@ -173,4 +173,23 @@ sub Delete {
return $self->SUPER::Delete(@_);
}
+sub _Set {
+ my $self = shift;
+
+ my $cf_id = $self->CustomField;
+
+ my $cf = RT::CustomField->new( $self->CurrentUser );
+ $cf->Load( $cf_id );
+
+ unless ( $cf->id ) {
+ return (0, $self->loc("Couldn't load Custom Field #[_1]", $cf_id));
+ }
+
+ unless ($cf->CurrentUserHasRight('AdminCustomField') || $cf->CurrentUserHasRight('AdminCustomFieldValues')) {
+ return (0, $self->loc('Permission Denied'));
+ }
+
+ return $self->SUPER::_Set( @_ );
+}
+
1;
diff --git a/t/api/cf_rights.t b/t/api/cf_rights.t
new file mode 100644
index 0000000..f55214a
--- /dev/null
+++ b/t/api/cf_rights.t
@@ -0,0 +1,51 @@
+#!/usr/bin/perl
+use warnings;
+use strict;
+
+use RT;
+use RT::Test tests => 12;
+
+my $q = RT::Queue->new($RT::SystemUser);
+my ($id,$msg) =$q->Create(Name => "CF-Rights-".$$);
+ok($id,$msg);
+
+my $cf = RT::CustomField->new($RT::SystemUser);
+($id,$msg) = $cf->Create(Name => 'CF-'.$$, Type => 'Select', MaxValues => '1', Queue => $q->id);
+ok($id,$msg);
+
+
+($id,$msg) =$cf->AddValue(Name => 'First');
+ok($id,$msg);
+
+my $u = RT::User->new($RT::SystemUser);
+($id,$msg) = $u->Create( Name => 'User1', Privileged => 1 );
+ok ($id,$msg);
+
+($id,$msg) = $u->PrincipalObj->GrantRight( Object => $cf, Right => 'SeeCustomField' );
+ok ($id,$msg);
+
+my $ucf = RT::CustomField->new($u);
+($id,$msg) = $ucf->Load( $cf->Id );
+ok ($id,$msg);
+
+my $cfv = $ucf->Values->First;
+
+($id,$msg) = $cfv->SetName( 'First1' );
+ok (!$id,$msg);
+
+($id,$msg) = $u->PrincipalObj->GrantRight( Object => $cf, Right => 'AdminCustomFieldValues' );
+ok ($id,$msg);
+
+($id,$msg) = $cfv->SetName( 'First2' );
+ok ($id,$msg);
+
+($id,$msg) = $u->PrincipalObj->RevokeRight( Object => $cf, Right => 'AdminCustomFieldValues' );
+ok ($id,$msg);
+
+($id,$msg) = $u->PrincipalObj->GrantRight( Object => $cf, Right => 'AdminCustomField' );
+ok ($id,$msg);
+
+($id,$msg) = $cfv->SetName( 'First3' );
+ok ($id,$msg);
+
+1;
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list