[Rt-commit] rt branch, 4.2-trunk, updated. rt-4.2.10-155-g1478a57

Jesse Vincent jesse at bestpractical.com
Fri Mar 6 03:58:19 EST 2015 

The branch, 4.2-trunk has been updated
       via  1478a57e9f4dfc33c43e286e4960454503a2f4c8 (commit)
       via  fd73e11a5af3909917a9fc8ce0637f7017b90b42 (commit)
      from  ce146444d7047437f47cd2fcb42b0171598f638c (commit)

Summary of changes:
 etc/upgrade/4.2.11/content | 26 ++++++++++++++++++++++++++
 lib/RT/System.pm           |  2 +-
 2 files changed, 27 insertions(+), 1 deletion(-)

- Log -----------------------------------------------------------------
commit 1478a57e9f4dfc33c43e286e4960454503a2f4c8
Merge: ce14644 fd73e11
Author: Jesse Vincent <jesse at bestpractical.com>
Date:   Fri Mar 6 00:57:16 2015 -0800

    Merge branch '4.2/role-group-ACLs' into 4.2-trunk
    
    * 4.2/role-group-ACLs:
      Skip global-only rights for global role groups
    
    Conflicts:
    	etc/upgrade/4.2.11/content

diff --cc etc/upgrade/4.2.11/content
index 5118aff,b060d4d..9c60f80
--- a/etc/upgrade/4.2.11/content
+++ b/etc/upgrade/4.2.11/content
@@@ -3,13 -3,29 +3,39 @@@ use warnings
  
  our @Initial = (
      sub {
 +        # We do the delete in pure SQL because Attribute collections
 +        # otherwise attempt to hash everything in memory.  As this may
 +        # be a large list, do it directly.
 +        RT->DatabaseHandle->dbh->do(<<EOSQL);
 +            DELETE FROM Attributes
 +             WHERE Name = 'DeferredRecipients'
 +               AND Content IS NULL;
 +EOSQL
 +    },
++    sub {
+         # Remove globally-granted role rights which couldn't also apply
+         # to some other object.  That is, globally granting that
+         # AdminCcs have SuperUser makes no sense.
+ 
+         # Find rights which apply globally
+         no warnings 'once';
+         my @rights = sort map {$_->{Name}} values %{$RT::ACE::RIGHTS{'RT::System'}};
+ 
+         # Those are not allowed to be granted on global role groups
+         my $invalid = RT::ACL->new( RT->SystemUser );
+         $invalid->LimitToObject( 'RT::System' );
+         $invalid->LimitToPrincipal( Id => RT::System->RoleGroup($_)->PrincipalId )
+             for RT::System->Roles;
+         $invalid->Limit( FIELD => 'RightName', OPERATOR => 'IN', VALUE => \@rights );
+ 
+         return unless $invalid->Count;
+ 
+         # Remove them, warning in the process
+         $RT::Logger->warning("There are invalid global role rights; removing:");
+         while (my $right = $invalid->Next) {
+             $RT::Logger->warning("  ".$right->RightName." granted globally to ".$right->PrincipalObj->Object->Name);
+             my ($ok, $msg) = $right->Delete;
+             $RT::Logger->error("Failed to remove right ".$right->id.": $msg") unless $ok;
+         }
+     },
  );

-----------------------------------------------------------------------

More information about the rt-commit mailing list