[Rt-commit] rt branch, 4.0/display-actions-on-abort, created. rt-4.0.6-254-gb49b0db
Alex Vandiver
alexmv at bestpractical.com
Tue Oct 30 19:27:22 EDT 2012
The branch, 4.0/display-actions-on-abort has been created
at b49b0dba9e61aea4f09e300d9720c97dc1566555 (commit)
- Log -----------------------------------------------------------------
commit e0e9e5e910f042a151463f67f9896022496893d0
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Tue Aug 7 18:48:36 2012 -0400
Allow the passing of actions through to Abort
When a change causes a ticket to no longer be viewable to the user, the
results of the change are now at least displayed to the user.
diff --git a/share/html/Elements/Error b/share/html/Elements/Error
index 87dfd02..04998c7 100755
--- a/share/html/Elements/Error
+++ b/share/html/Elements/Error
@@ -52,6 +52,8 @@
<& /Elements/Tabs &>
% }
+<& /Elements/ListActions, actions => $Actions &>
+
<div class="error">
<%$Why%>
<br />
@@ -64,6 +66,7 @@ $m->abort();
</%cleanup>
<%args>
+$Actions => []
$Code => undef
$Details => ''
$Title => loc("RT Error")
diff --git a/share/html/Ticket/Display.html b/share/html/Ticket/Display.html
index 5e84a50..0b86e0f 100755
--- a/share/html/Ticket/Display.html
+++ b/share/html/Ticket/Display.html
@@ -177,10 +177,12 @@ if ($ARGS{'id'} eq 'new') {
push @Actions, ProcessObjectCustomFieldUpdates(ARGSRef => \%ARGS, TicketObj => $TicketObj );
push @Actions, ProcessTicketReminders( ARGSRef => \%ARGS, TicketObj => $TicketObj );
- # XXX: we shouldn't block actions here if user has no right to see the ticket,
- # but we should allow him to see actions he has done
unless ($TicketObj->CurrentUserHasRight('ShowTicket')) {
- Abort("No permission to view ticket");
+ if (@Actions) {
+ Abort("A change was applied successfully, but you no longer have permissions to view the ticket", Actions => \@Actions);
+ } else {
+ Abort("No permission to view ticket");
+ }
}
if ( $ARGS{'MarkAsSeen'} ) {
$TicketObj->SetAttribute(
diff --git a/share/html/Ticket/Modify.html b/share/html/Ticket/Modify.html
index d779b12..752b99d 100755
--- a/share/html/Ticket/Modify.html
+++ b/share/html/Ticket/Modify.html
@@ -83,10 +83,13 @@ push @results, ProcessObjectCustomFieldUpdates(Object => $TicketObj, ARGSRef =>
$TicketObj->ApplyTransactionBatch;
-# TODO: display the results, even if we can't display the ticket
unless ($TicketObj->CurrentUserHasRight('ShowTicket')) {
- Abort("No permission to view ticket");
-}
+ if (@results) {
+ Abort("A change was applied successfully, but you no longer have permissions to view the ticket", Actions => \@results);
+ } else {
+ Abort("No permission to view ticket");
+ }
+}
</%INIT>
<%ARGS>
diff --git a/share/html/Ticket/ModifyAll.html b/share/html/Ticket/ModifyAll.html
index 8619cd5..a645c81 100755
--- a/share/html/Ticket/ModifyAll.html
+++ b/share/html/Ticket/ModifyAll.html
@@ -215,10 +215,12 @@ unless ($OnlySearchForPeople or $OnlySearchForGroup or $ARGS{'AddMoreAttach'} )
$Ticket->ApplyTransactionBatch;
# If they've gone and moved the ticket to somewhere they can't see, etc...
-# TODO: display the results, even if we can't display the ticket.
-
unless ($Ticket->CurrentUserHasRight('ShowTicket')) {
- Abort("No permission to view ticket");
+ if (@results) {
+ Abort("A change was applied successfully, but you no longer have permissions to view the ticket", Actions => \@results);
+ } else {
+ Abort("No permission to view ticket");
+ }
}
diff --git a/share/html/m/ticket/show b/share/html/m/ticket/show
index f6ffe88..2b41fd8 100644
--- a/share/html/m/ticket/show
+++ b/share/html/m/ticket/show
@@ -112,10 +112,12 @@ if ($ARGS{'id'} eq 'new') {
push @Actions, ProcessObjectCustomFieldUpdates(ARGSRef => \%ARGS, TicketObj => $Ticket );
push @Actions, ProcessTicketReminders( ARGSRef => \%ARGS, TicketObj => $Ticket );
- # XXX: we shouldn't block actions here if user has no right to see the ticket,
- # but we should allow him to see actions he has done
unless ($Ticket->CurrentUserHasRight('ShowTicket')) {
- Abort("No permission to view ticket");
+ if (@Actions) {
+ Abort("A change was applied successfully, but you no longer have permissions to view the ticket", Actions => \@Actions);
+ } else {
+ Abort("No permission to view ticket");
+ }
}
if ( $ARGS{'MarkAsSeen'} ) {
$Ticket->SetAttribute(
commit b49b0dba9e61aea4f09e300d9720c97dc1566555
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Tue Aug 7 20:15:27 2012 -0400
Descriptions of just-created transactions should always be readable
If a user had permissions to execute a change, they should always have
permission to read the description of the transaction that is returned.
This case is triggered when a user changes a ticket's queue to one they
do not have rights in, for example; without it, the UI merely displays
the unhelpful status change "Permission denied" in @Actions, despite an
action clearly having happened.
While the simplest method for ensuring that the transaction can be read
would be to load it as the system user, this causes the returned message
to be in the system user's localization, not the current user's. Add an
explicit flag which allows ->CurrentUserCanSee to be overridden for this
one object.
diff --git a/lib/RT/Ticket.pm b/lib/RT/Ticket.pm
index 91711e4..0e76592 100644
--- a/lib/RT/Ticket.pm
+++ b/lib/RT/Ticket.pm
@@ -3491,6 +3491,9 @@ sub _Set {
OldValue => $Old,
TimeTaken => $args{'TimeTaken'},
);
+ # Ensure that we can read the transaction, even if the change
+ # just made the ticket unreadable to us
+ $TransObj->{ _object_is_readable } = 1;
return ( $Trans, scalar $TransObj->BriefDescription );
}
else {
diff --git a/lib/RT/Transaction.pm b/lib/RT/Transaction.pm
index 5b3641f..e01b257 100644
--- a/lib/RT/Transaction.pm
+++ b/lib/RT/Transaction.pm
@@ -1067,6 +1067,11 @@ sub CurrentUserCanSee {
$cf->Load( $cf_id );
return 0 unless $cf->CurrentUserHasRight('SeeCustomField');
}
+
+ # Transactions that might have changed the ->Object's visibility to
+ # the current user are marked readable
+ return 1 if $self->{ _object_is_readable };
+
# Defer to the object in question
return $self->Object->CurrentUserCanSee("Transaction");
}
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list