[Rt-commit] rt branch, 4.4/edit-saved-searches-right, created. rt-4.4.4-14-g0aa64e660

Jim Brandt jbrandt at bestpractical.com
Fri Apr 5 14:46:45 EDT 2019


The branch, 4.4/edit-saved-searches-right has been created
        at  0aa64e660780000cc5f9491979c31cc88a59113a (commit)

- Log -----------------------------------------------------------------
commit 0d6af9eeed71f7b316343a6cf3a2e0fe6418a0fa
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Fri Apr 5 13:39:57 2019 -0400

    Add ObjectsForCreating method
    
    This method is mentioned as a wrapper in the comment for the
    internal _PrivacyObjects method, but didn't previously exist. Add it
    to provide a wrapper that performs rights checks consistent
    with creating saved searches.

diff --git a/lib/RT/SavedSearch.pm b/lib/RT/SavedSearch.pm
index 79474ea56..c0fcfc4ff 100644
--- a/lib/RT/SavedSearch.pm
+++ b/lib/RT/SavedSearch.pm
@@ -190,6 +190,38 @@ sub ObjectsForLoading {
     return grep { $self->CurrentUserCanSee($_) } $self->_PrivacyObjects( "SavedSearch" );
 }
 
+=head2 ObjectsForCreating
+
+In the context of the current user, load a list of objects that could have searches
+saved under, including the current user and groups. This method considers both rights
+and group membership when creating the list of objects for saved searches.
+
+=cut
+
+sub ObjectsForCreating {
+    my $self = shift;
+    my @objects = $self->_PrivacyObjects( );
+    my @create_objects;
+
+    foreach my $object ( @objects ) {
+        # Users need CreateSavedSearch to save personal searches
+        if ( ref $object
+             && ref $object eq 'RT::User'
+             && $self->CurrentUser->HasRight( Right => 'CreateSavedSearch', Object => $object ) ) {
+            push @create_objects, $object;
+        }
+
+        # On groups, the EditSavedSearches right manages create and edit
+        if ( ref $object
+             && ref $object eq 'RT::Group'
+             && $self->CurrentUser->HasRight( Right => 'EditSavedSearches', Object => $object ) ) {
+            push @create_objects, $object;
+        }
+    }
+
+    return @create_objects;
+}
+
 RT::Base->_ImportOverlays();
 
 1;

commit 73b081dbf8e5042233c9e1008b5921fb753afd55
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Fri Apr 5 14:08:12 2019 -0400

    Add tests for ObjectsForCreating

diff --git a/t/api/savedsearch.t b/t/api/savedsearch.t
index 2e924bf7b..9693fcc9f 100644
--- a/t/api/savedsearch.t
+++ b/t/api/savedsearch.t
@@ -2,7 +2,7 @@ use strict;
 use warnings;
 BEGIN { $ENV{'LANG'} = 'C' }
 
-use RT::Test tests => 27;
+use RT::Test tests => undef;
 
 use_ok('RT::SavedSearch');
 use_ok('RT::SavedSearches');
@@ -25,11 +25,22 @@ $searchuser->PrincipalObj->GrantRight(Right => 'ModifySelf');
 my $ingroup = RT::Group->new(RT->SystemUser);
 $ingroup->CreateUserDefinedGroup(Name => 'searchgroup1'.$$);
 $ingroup->AddMember($searchuser->Id);
+
+diag('Check saved search rights');
+my @create_objects = RT::SavedSearch->new($searchuser)->ObjectsForCreating;
+
+is( scalar @create_objects, 1, 'Got one Privacy option for saving searches');
+is( $create_objects[0]->Id, $searchuser->Id, 'Privacy option is personal saved search');
+
 $searchuser->PrincipalObj->GrantRight(Right => 'EditSavedSearches',
                                       Object => $ingroup);
 $searchuser->PrincipalObj->GrantRight(Right => 'ShowSavedSearches',
                                       Object => $ingroup);
 
+ at create_objects = RT::SavedSearch->new($searchuser)->ObjectsForCreating;
+is( scalar @create_objects, 2, 'Got two Privacy options for saving searches');
+is( $create_objects[1]->Id, $ingroup->Id, 'Second Privacy option is group saved search');
+
 # This is the group whose searches searchuser should not be able to see.
 my $outgroup = RT::Group->new(RT->SystemUser);
 $outgroup->CreateUserDefinedGroup(Name => 'searchgroup2'.$$);
@@ -179,3 +190,4 @@ ok($ret, "Deleted genericsearch");
 $allsearches->LimitToPrivacy('RT::User-'.$curruser->Id);
 is($allsearches->Count, 1, "Found all searchuser's searches after deletion");
 
+done_testing();

commit 272dd610b9ab1bc701d43fe66bb44095639bbf96
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Fri Apr 5 14:10:30 2019 -0400

    For saved searches, split objects lists for creating and loading
    
    Different rights manage creating/editing saved searches and
    loading them, so split loading the list of valid objects into
    two different data structures.
    
    Also use the corresponding wrapper methods to load the objects
    rather than calling the _PrivacyObjects method directly.
    
    This change fixes a bug in the Privacy menu. Previously it
    loaded all groups the user is a member of without checking the
    EditSavedSearches right. If the user then tried to save a search
    for a group without that right, they would receive an error and
    the search would not be saved. The dropdown now checks for this
    right and only shows group options that the user can save to based
    on rights.

diff --git a/share/html/Search/Elements/EditSearches b/share/html/Search/Elements/EditSearches
index e7de62bd0..6e7220eb1 100644
--- a/share/html/Search/Elements/EditSearches
+++ b/share/html/Search/Elements/EditSearches
@@ -51,7 +51,7 @@
 %# Hide all the save functionality if the user shouldn't see it.
 % if ( $can_modify ) {
 <span class="label"><&|/l&>Privacy</&>:</span>
-<& SelectSearchObject, Name => 'SavedSearchOwner', Objects => \@Objects, Object => ( $Object && $Object->id ) ? $Object->Object : '' &>
+<& SelectSearchObject, Name => 'SavedSearchOwner', Objects => \@CreateObjects, Object => ( $Object && $Object->id ) ? $Object->Object : '' &>
 <br />
 <span class="label"><&|/l&>Description</&>:</span>
 <input size="25" name="SavedSearchDescription" value="<% $Description || '' %>" />
@@ -76,7 +76,7 @@
 <br />
 <hr />
 <span class="label"><&|/l&>Load saved search</&>:</span>
-<& SelectSearchesForObjects, Name => 'SavedSearchLoad', Objects => \@Objects, SearchType => $Type &>
+<& SelectSearchesForObjects, Name => 'SavedSearchLoad', Objects => \@LoadObjects, SearchType => $Type &>
 <input type="submit" value="<% loc('Load') %>" id="SavedSearchLoadSubmit" name="SavedSearchLoadSubmit" class="button" />
 
 </&>
@@ -93,8 +93,13 @@ my $can_modify = $session{'CurrentUser'}->HasRight(
 );
 
 use RT::SavedSearch;
-my @Objects = RT::SavedSearch->new($session{CurrentUser})->_PrivacyObjects;
-push @Objects, RT::System->new( $session{'CurrentUser'} )
+my @LoadObjects = RT::SavedSearch->new($session{CurrentUser})->ObjectsForLoading;
+push @LoadObjects, RT::System->new( $session{'CurrentUser'} )
+    if $session{'CurrentUser'}->HasRight( Object=> $RT::System,
+                                          Right => 'SuperUser' );
+
+my @CreateObjects = RT::SavedSearch->new($session{CurrentUser})->ObjectsForCreating;
+push @CreateObjects, RT::System->new( $session{'CurrentUser'} )
     if $session{'CurrentUser'}->HasRight( Object=> $RT::System,
                                           Right => 'SuperUser' );
 

commit 0aa64e660780000cc5f9491979c31cc88a59113a
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Fri Apr 5 14:46:33 2019 -0400

    Note behavior change in UPGRADING doc

diff --git a/docs/UPGRADING-4.4 b/docs/UPGRADING-4.4
index 1fc0fe133..d2da81603 100644
--- a/docs/UPGRADING-4.4
+++ b/docs/UPGRADING-4.4
@@ -615,4 +615,22 @@ now contains the reference to the message content as the name implies.
 
 =back
 
+=head1 UPGRADING FROM 4.4.4 AND EARLIER
+
+=over 4
+
+=item * Privacy Menu in Query Builder
+
+On the Query Builder, the Privacy menu loads groups you are a member of as potential
+places to save searches. However, it previously did not confirm the current user
+had the EditSavedSearches right, so you might try to save a search with a group
+and receive an error until that right was granted.
+
+This has been fixed, so now groups load only if you have rights to create the
+search via EditSavedSearches on the group or globally. This may change the groups
+that appear in the Privacy menu, but shouldn't change functionality since users
+without the correct rights were unable to create searches.
+
+=back
+
 =cut

-----------------------------------------------------------------------


More information about the rt-commit mailing list