[Bps-public-commit] rt-extension-rightsdebugger branch, master, updated. 92d1f043195bbfafe4ba181baf09a2f59e6785d1

[Shawn Moore]

The branch, master has been updated
       via  92d1f043195bbfafe4ba181baf09a2f59e6785d1 (commit)
      from  bed0df30df49898fb5ebfc205b694be6f1184971 (commit)

Summary of changes:
 html/Admin/RightsDebugger/index.html |  4 +++-
 lib/RT/Extension/RightsDebugger.pm   | 27 ++++++++++++++++++++++++---
 2 files changed, 27 insertions(+), 4 deletions(-)

- Log -----------------------------------------------------------------
commit 92d1f043195bbfafe4ba181baf09a2f59e6785d1
Author: Shawn M Moore <shawn at bestpractical.com>
Date:   Tue Feb 28 19:35:02 2017 +0000

    Disable the revoke button for RT's two mandatory rights
    
    RT_System having SuperUser on RT::System
    Nobody having OwnTicket on RT::System

diff --git a/html/Admin/RightsDebugger/index.html b/html/Admin/RightsDebugger/index.html
index 95a72b7..9f028e0 100644
--- a/html/Admin/RightsDebugger/index.html
+++ b/html/Admin/RightsDebugger/index.html
@@ -26,7 +26,9 @@
     <div class="principal cell">{{> render_record item.principal}}</div>
     <div class="object cell">{{> render_record item.object}}</div>
     <div class="right cell">{{search_highlight item.right search.right}}</div>
-    <div class="revoke cell"><button>Revoke</button></div>
+    <div class="revoke cell">
+        <button {{#if item.disable_revoke}}class="ui-state-disabled" disabled="disabled"{{/if}}>Revoke</button>
+    </div>
   </div>
 </script>
 
diff --git a/lib/RT/Extension/RightsDebugger.pm b/lib/RT/Extension/RightsDebugger.pm
index d8b4326..7f4fd82 100644
--- a/lib/RT/Extension/RightsDebugger.pm
+++ b/lib/RT/Extension/RightsDebugger.pm
@@ -13,12 +13,33 @@ sub SerializeACE {
     my $ACE = shift;
 
     return {
-        principal => $self->SerializeRecord($ACE->PrincipalObj),
-        object    => $self->SerializeRecord($ACE->Object),
-        right     => $ACE->RightName,
+        principal      => $self->SerializeRecord($ACE->PrincipalObj),
+        object         => $self->SerializeRecord($ACE->Object),
+        right          => $ACE->RightName,
+        disable_revoke => $self->DisableRevoke($ACE),
     };
 }
 
+sub DisableRevoke {
+    my $self = shift;
+    my $ACE = shift;
+    my $Principal = $ACE->PrincipalObj;
+    my $Object    = $ACE->Object;
+    my $Right     = $ACE->RightName;
+
+    if ($Principal->Object->Domain eq 'ACLEquivalence') {
+        my $User = $Principal->Object->InstanceObj;
+        if ($User->Id == RT->SystemUser->Id && $Object->isa('RT::System') && $Right eq 'SuperUser') {
+            return 1;
+        }
+        if ($User->Id == RT->Nobody->Id && $Object->isa('RT::System') && $Right eq 'OwnTicket') {
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
 sub SerializeRecord {
     my $self = shift;
     my $record = shift;

-----------------------------------------------------------------------