[Rt-commit] rt branch, 4.2/role-group-ACLs, created. rt-4.2.9-61-g87f7fcd

Alex Vandiver alexmv at bestpractical.com
Mon Dec 29 15:22:35 EST 2014


The branch, 4.2/role-group-ACLs has been created
        at  87f7fcd7bb1f986f99ae59810616bc27b9a5b226 (commit)

- Log -----------------------------------------------------------------
commit 87f7fcd7bb1f986f99ae59810616bc27b9a5b226
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Mon Dec 29 15:15:03 2014 -0500

    Skip global-only rights for global role groups
    
    The "ModifySelf", "ShowApprovalsTab", and other global-only rights make
    no sense to display on the global role group pages.  Since
    RT::System->HasRole() returns true for all roles, they show up
    nonetheless.  Thus, explicitly skip RT::System when determining which
    rights might be relevant to the role.
    
    Fixes I#30556.

diff --git a/etc/upgrade/4.2.10/content b/etc/upgrade/4.2.10/content
new file mode 100644
index 0000000..fa72780
--- /dev/null
+++ b/etc/upgrade/4.2.10/content
@@ -0,0 +1,30 @@
+use strict;
+use warnings;
+
+our @Initial = (
+    sub {
+        # Remove globally-granted role rights which couldn't also apply
+        # to some other object.  That is, globally granting that
+        # AdminCcs have SuperUser makes no sense.
+
+        # Find rights which apply globally
+        my @rights = sort map {$_->{Name}} values %{$RT::ACE::RIGHTS{'RT::System'}};
+
+        # Those are not allowed to be granted on global role groups
+        my $invalid = RT::ACL->new( RT->SystemUser );
+        $invalid->LimitToObject( 'RT::System' );
+        $invalid->LimitToPrincipal( Id => RT::System->RoleGroup($_)->PrincipalId )
+            for RT::System->Roles;
+        $invalid->Limit( FIELD => 'RightName', OPERATOR => 'IN', VALUE => \@rights );
+
+        return unless $invalid->Count;
+
+        # Remove them, warning in the process
+        $RT::Logger->warning("There are invalid global role rights; removing:");
+        while (my $right = $invalid->Next) {
+            $RT::Logger->warning("  ".$right->RightName." granted globally to ".$right->PrincipalObj->Object->Name);
+            my ($ok, $msg) = $right->Delete;
+            $RT::Logger->error("Failed to remove right ".$right->id.": $msg") unless $ok;
+        }
+    },
+);
diff --git a/lib/RT/System.pm b/lib/RT/System.pm
index 43c021a..6df64cf 100644
--- a/lib/RT/System.pm
+++ b/lib/RT/System.pm
@@ -117,7 +117,7 @@ sub AvailableRights {
     if ($principal and $principal->IsRoleGroup) {
         my $role = $principal->Object->Name;
         for my $class (keys %RT::ACE::RIGHTS) {
-            next unless $class->DOES('RT::Record::Role::Roles') and $class->HasRole($role);
+            next unless $class->DOES('RT::Record::Role::Roles') and $class->HasRole($role) and $class ne "RT::System";
             push @rights, values %{ $RT::ACE::RIGHTS{$class} };
         }
     } else {

-----------------------------------------------------------------------


More information about the rt-commit mailing list