[Rt-commit] rt branch, 4.2/see-queue-groups, created. rt-4.2.10-223-ga31a88c

Alex Vandiver alexmv at bestpractical.com
Mon Mar 30 19:41:58 EDT 2015 

The branch, 4.2/see-queue-groups has been created
        at  a31a88c0a73d129fd3c6e7a1233109008ce94a18 (commit)

- Log -----------------------------------------------------------------
commit a31a88c0a73d129fd3c6e7a1233109008ce94a18
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Tue Dec 30 13:13:01 2014 -0500

    Always allow role and system groups to be enumerated
    
    Previously, the SeeGroup right controlled RT::Groups results even for
    internal groups; this caused the queue rights page for a user with
    AdminQueue but not SeeGroup to not list Everyone / Privileged /
    Unprivileged, nor the queue role groups.
    
    Allow system groups to always be seen, and role groups to be seen if the
    user can see the object the role group is on.  This is a broadening of
    the privileges that previously existed.
    
    Note that as ->CurrentUserCanSee is not used to ACL ->_Value, this does
    not quite enforce a group ACL globally; any explicitly loaded group can
    still be examined.
    
    Fixes: I#30416

diff --git a/lib/RT/Group.pm b/lib/RT/Group.pm
index b79f474..c493cf2 100644
--- a/lib/RT/Group.pm
+++ b/lib/RT/Group.pm
@@ -1358,15 +1358,28 @@ sub _Set {
 
 =head2 CurrentUserCanSee
 
-Always returns 1; unfortunately, for historical reasons, users have
-always been able to examine groups they have indirect access to, even if
-they do not have SeeGroup explicitly.
+Returns 1 if the group is user-defined and the user has SeeGroup on it;
+returns 1 for internal groups, or role groups on objects which the user
+has permissions to see.
 
 =cut
 
 sub CurrentUserCanSee {
     my $self = shift;
-    return 1;
+
+    if ($self->Domain eq "UserDefined") {
+        return $self->CurrentUserHasRight("SeeGroup");
+    } elsif ($self->Domain eq "SystemInternal") {
+        return 1;
+    } elsif ($self->Domain eq "ACLEquivalence") {
+        return 1;
+    } elsif ($self->RoleClass) {
+        my $role = $self->RoleGroupObject;
+        return $role->CurrentUserCanSee if $role->can("CurrentUserCanSee");
+        return 1;
+    } else {
+        return 1;
+    }
 }
 
 
diff --git a/lib/RT/Groups.pm b/lib/RT/Groups.pm
index 4d06528..3bb063e 100644
--- a/lib/RT/Groups.pm
+++ b/lib/RT/Groups.pm
@@ -475,13 +475,12 @@ sub AddRecord {
     # If we've explicitly limited to groups the user is a member of (for
     # dashboard or savedsearch privacy objects), skip the ACL.
     return unless $self->{with_current_user}
-        or $record->CurrentUserHasRight('SeeGroup');
+        or $record->CurrentUserCanSee;
 
     return $self->SUPER::AddRecord( $record );
 }
 
 
-
 sub _DoSearch {
     my $self = shift;
 
diff --git a/lib/RT/Ticket.pm b/lib/RT/Ticket.pm
index 6f8d2b4..3d400b6 100644
--- a/lib/RT/Ticket.pm
+++ b/lib/RT/Ticket.pm
@@ -2867,7 +2867,7 @@ sub CurrentUserCanSee {
     my ($what, $txn) = @_;
     return 0 unless $self->CurrentUserHasRight('ShowTicket');
 
-    return 1 if $what ne "Transaction";
+    return 1 unless $what and $what eq "Transaction";
 
     # If it's a comment, we need to be extra special careful
     my $type = $txn->__Value('Type');

-----------------------------------------------------------------------

More information about the rt-commit mailing list