[Rt-devel] RT::Ticket->AddWatcher logic error?

Todd Chapman todd at chaka.net
Mon Mar 6 13:52:01 EST 2006 

AddWatcher only checks if the watcher being added has
'WatchAsAdminCc' or 'Watch' right when the CurrentUser
is the one being added. This means that using a scrip,
a watcher could be added that doesn't have the right.

So is the right supposed to be enforced for all users
or is it just used to control which users show up
in the web interface. I would guess the former, but
the later is currently implemented.

The attached patch shows that the user doesn't have
the right but AddWatcher succeeds anyway. (It also
makes it so the test can be run multiple times
without dropping the DB.)

-Todd
-------------- next part --------------
=== lib/t/regression/07rights.t
==================================================================
--- lib/t/regression/07rights.t	(revision 5716)
+++ lib/t/regression/07rights.t	(local)
@@ -45,7 +45,7 @@
 # 
 # END BPS TAGGED BLOCK }}}
 
-use Test::More tests => 26;
+use Test::More tests => 27;
 use RT;
 RT::LoadConfig();
 RT::Init();
@@ -70,13 +70,13 @@
 
 # create new queue to be shure we don't mess with rights
 my $queue = RT::Queue->new($RT::SystemUser);
-my ($queue_id) = $queue->Create( Name => 'rights');
+my ($queue_id) = $queue->Create( Name => "rights.$$");
 ok( $queue_id, 'queue created for rights tests' );
 
 # new privileged user to check rights
 my $user = RT::User->new( $RT::SystemUser );
-my ($user_id) = $user->Create( Name => 'rights',
-			   EmailAddress => 'rights at localhost',
+my ($user_id) = $user->Create( Name => "rights.$$",
+			   EmailAddress => "rights.$$\@localhost",
 			   Privileged => 1,
 			   Password => 'qwe123',
 			 );
@@ -116,6 +116,7 @@
 ok( $ace_id, "Granted queue AdminCc role group with ModifyTicket right: $msg" );
 ok( $group->PrincipalObj->HasRight( Right => 'ModifyTicket', Object => $queue ), "role group can modify ticket" );
 ok( !$user->HasRight( Right => 'ModifyTicket', Object => $ticket ), "user is not AdminCc and can't modify ticket" );
+ok( $user->HasRight( Right => 'WatchAsAdminCc', Object => $queue ), "user is not AdminCc and can watch ticket" );
 ($status, $msg) = $ticket->AddWatcher(Type => 'AdminCc', PrincipalId => $user->PrincipalId);
 ok( $status, "successfuly added user as AdminCc");
 ok( $user->HasRight( Right => 'ModifyTicket', Object => $ticket ), "user is AdminCc and can modify ticket" );

More information about the Rt-devel mailing list