[Rt-commit] [svn] r1867 - in rt/branches/PLATANO-EXPERIMENTAL-CSS:
. lib/RT
jesse at pallas.eruditorum.org
jesse at pallas.eruditorum.org
Thu Nov 11 03:52:24 EST 2004
Author: jesse
Date: Thu Nov 11 03:52:24 2004
New Revision: 1867
Modified:
rt/branches/PLATANO-EXPERIMENTAL-CSS/ (props changed)
rt/branches/PLATANO-EXPERIMENTAL-CSS/lib/RT/Principal_Overlay.pm
Log:
r9129 at tinbook: jesse | 2004-11-11T04:08:00.711759Z
r8963 at tinbook: jesse | 2004-11-09T07:55:26.294077Z
Just formatting changes. ran perltidy on HasRight.
Modified: rt/branches/PLATANO-EXPERIMENTAL-CSS/lib/RT/Principal_Overlay.pm
==============================================================================
--- rt/branches/PLATANO-EXPERIMENTAL-CSS/lib/RT/Principal_Overlay.pm (original)
+++ rt/branches/PLATANO-EXPERIMENTAL-CSS/lib/RT/Principal_Overlay.pm Thu Nov 11 03:52:24 2004
@@ -250,18 +250,23 @@
sub HasRight {
my $self = shift;
- my %args = ( Right => undef,
- Object => undef,
- EquivObjects => undef,
- @_ );
+ my %args = (
+ Right => undef,
+ Object => undef,
+ EquivObjects => undef,
+ @_
+ );
if ( $self->Disabled ) {
- $RT::Logger->err( "Disabled User: " . $self->id . " failed access check for " . $args{'Right'} );
+ $RT::Logger->err( "Disabled User: "
+ . $self->id
+ . " failed access check for "
+ . $args{'Right'} );
return (undef);
}
if ( !defined $args{'Right'} ) {
- $RT::Logger->crit("HasRight called without a right" );
+ $RT::Logger->crit("HasRight called without a right");
return (undef);
}
@@ -277,48 +282,50 @@
}
# If this object is a ticket, we care about ticket roles and queue roles
- if ( (ref($args{'Object'}) eq 'RT::Ticket') && $args{'Object'}->Id) {
- # this is a little bit hacky, but basically, now that we've done the ticket roles magic, we load the queue object
- # and ask all the rest of our questions about the queue.
- push (@{$args{'EquivObjects'}}, $args{'Object'}->QueueObj);
+ if ( ( ref( $args{'Object'} ) eq 'RT::Ticket' ) && $args{'Object'}->Id ) {
- }
+# this is a little bit hacky, but basically, now that we've done the ticket roles magic, we load the queue object
+# and ask all the rest of our questions about the queue.
+ push( @{ $args{'EquivObjects'} }, $args{'Object'}->QueueObj );
+ }
# {{{ If we've cached a win or loss for this lookup say so
# {{{ Construct a hashkey to cache decisions in
my $hashkey = do {
- no warnings 'uninitialized';
-
- # We don't worry about the hash ordering, as this is only
- # temporarily used; also if the key changes it would be
- # invalidated anyway.
- join (
- ";:;", $self->Id, map {
- $_, # the key of each arguments
- ($_ eq 'EquivObjects') # for object arrayref...
- ? map(_ReferenceId($_), @{$args{$_}}) # calculate each
- : _ReferenceId( $args{$_} ) # otherwise just the value
- } keys %args
+ no warnings 'uninitialized';
+
+ # We don't worry about the hash ordering, as this is only
+ # temporarily used; also if the key changes it would be
+ # invalidated anyway.
+ join(
+ ";:;",
+ $self->Id,
+ map {
+ $_, # the key of each arguments
+ ( $_ eq 'EquivObjects' ) # for object arrayref...
+ ? map( _ReferenceId($_), @{ $args{$_} } ) # calculate each
+ : _ReferenceId( $args{$_} ) # otherwise just the value
+ } keys %args
);
};
- # }}}
+ # }}}
# {{{ if we've cached a positive result for this query, return 1
- my $cached_answer = $_ACL_CACHE->fetch($hashkey);
- # Returns undef on cache miss
- if (defined $cached_answer) {
- if ($cached_answer == 1) {
- return(1);
- }
- elsif ($cached_answer == -1) {
- return(0);
- }
- }
+ my $cached_answer = $_ACL_CACHE->fetch($hashkey);
+ # Returns undef on cache miss
+ if ( defined $cached_answer ) {
+ if ( $cached_answer == 1 ) {
+ return (1);
+ }
+ elsif ( $cached_answer == -1 ) {
+ return (0);
+ }
+ }
my ( $or_look_at_object_rights, $or_check_roles );
my $right = $args{'Right'};
@@ -326,103 +333,108 @@
# {{{ Construct Right Match
# If an object is defined, we want to look at rights for that object
-
- my @look_at_objects;
- push (@look_at_objects, "ACL.ObjectType = 'RT::System'")
- unless $self->can('_IsOverrideGlobalACL') and $self->_IsOverrideGlobalACL($args{Object});
-
+ my @look_at_objects;
+ push( @look_at_objects, "ACL.ObjectType = 'RT::System'" )
+ unless $self->can('_IsOverrideGlobalACL')
+ and $self->_IsOverrideGlobalACL( $args{Object} );
+
+ foreach my $obj ( @{ $args{'EquivObjects'} } ) {
+ next unless ( UNIVERSAL::can( $obj, 'id' ) );
+ my $type = ref($obj);
+ my $id = $obj->id;
+
+ unless ($id) {
+ use Carp;
+ Carp::cluck(
+ "Trying to check $type rights for an unspecified $type");
+ $RT::Logger->crit(
+ "Trying to check $type rights for an unspecified $type");
+ }
+ push @look_at_objects,
+ "(ACL.ObjectType = '$type' AND ACL.ObjectId = '$id')";
+ }
- foreach my $obj (@{$args{'EquivObjects'}}) {
- next unless (UNIVERSAL::can($obj, 'id'));
- my $type = ref($obj);
- my $id = $obj->id;
-
- unless ($id) {
- use Carp;
- Carp::cluck("Trying to check $type rights for an unspecified $type");
- $RT::Logger->crit("Trying to check $type rights for an unspecified $type");
- }
- push @look_at_objects, "(ACL.ObjectType = '$type' AND ACL.ObjectId = '$id')";
- }
-
-
# }}}
# {{{ Build that honkin-big SQL query
-
-
- my $query_base = "SELECT ACL.id from ACL, Groups, Principals, CachedGroupMembers WHERE ".
- # Only find superuser or rights with the name $right
- "(ACL.RightName = 'SuperUser' OR ACL.RightName = '$right') ".
- # Never find disabled groups.
- "AND Principals.Disabled = 0 " .
- "AND CachedGroupMembers.Disabled = 0 ".
- "AND Principals.id = Groups.id " . # We always grant rights to Groups
-
- # See if the principal is a member of the group recursively or _is the rightholder_
- # never find recursively disabled group members
- # also, check to see if the right is being granted _directly_ to this principal,
- # as is the case when we want to look up group rights
- "AND Principals.id = CachedGroupMembers.GroupId AND CachedGroupMembers.MemberId = '" . $self->Id . "' ".
-
- # Make sure the rights apply to the entire system or to the object in question
- "AND ( ".join(' OR ', @look_at_objects).") ";
-
-
+ my $query_base =
+ "SELECT ACL.id from ACL, Groups, Principals, CachedGroupMembers WHERE " .
- # The groups query does the query based on group membership and individual user rights
+ # Only find superuser or rights with the name $right
+ "(ACL.RightName = 'SuperUser' OR ACL.RightName = '$right') " .
- my $groups_query = $query_base .
+ # Never find disabled groups.
+ "AND Principals.Disabled = 0 "
+ . "AND CachedGroupMembers.Disabled = 0 "
+ . "AND Principals.id = Groups.id "
+ . # We always grant rights to Groups
+
+# See if the principal is a member of the group recursively or _is the rightholder_
+# never find recursively disabled group members
+# also, check to see if the right is being granted _directly_ to this principal,
+# as is the case when we want to look up group rights
+"AND Principals.id = CachedGroupMembers.GroupId AND CachedGroupMembers.MemberId = '"
+ . $self->Id . "' "
+ .
+
+ # Make sure the rights apply to the entire system or to the object in question
+ "AND ( " . join( ' OR ', @look_at_objects ) . ") ";
+
+# The groups query does the query based on group membership and individual user rights
+
+ my $groups_query = $query_base .
+
+# limit the result set to groups of types ACLEquivalence (user) UserDefined, SystemInternal and Personal
+"AND ( ( ACL.PrincipalId = Principals.id AND ACL.PrincipalType = 'Group' AND "
+ . "(Groups.Domain = 'SystemInternal' OR Groups.Domain = 'UserDefined' OR Groups.Domain = 'ACLEquivalence' OR Groups.Domain = 'Personal'))"
+ .
- # limit the result set to groups of types ACLEquivalence (user) UserDefined, SystemInternal and Personal
- "AND ( ( ACL.PrincipalId = Principals.id AND ACL.PrincipalType = 'Group' AND ".
- "(Groups.Domain = 'SystemInternal' OR Groups.Domain = 'UserDefined' OR Groups.Domain = 'ACLEquivalence' OR Groups.Domain = 'Personal'))".
+ " ) ";
+ $self->_Handle->ApplyLimits( \$groups_query, 1 ); #only return one result
- " ) ";
- $self->_Handle->ApplyLimits(\$groups_query, 1); #only return one result
-
my @roles;
- foreach my $object (@{$args{'EquivObjects'}}) {
- push (@roles, $self->_RolesForObject(ref($object), $object->id));
+ foreach my $object ( @{ $args{'EquivObjects'} } ) {
+ push( @roles, $self->_RolesForObject( ref($object), $object->id ) );
}
# The roles query does the query based on roles
my $roles_query;
if (@roles) {
- $roles_query = $query_base . "AND ".
- " ( (".join (' OR ', @roles)." ) ".
- " AND Groups.Type = ACL.PrincipalType AND Groups.Id = Principals.id AND Principals.PrincipalType = 'Group') ";
- $self->_Handle->ApplyLimits(\$roles_query, 1); #only return one result
-
- }
-
+ $roles_query =
+ $query_base . "AND " . " ( ("
+ . join( ' OR ', @roles ) . " ) "
+ . " AND Groups.Type = ACL.PrincipalType AND Groups.Id = Principals.id AND Principals.PrincipalType = 'Group') ";
+ $self->_Handle->ApplyLimits( \$roles_query, 1 ); #only return one result
+ }
# }}}
# {{{ Actually check the ACL by performing an SQL query
- # $RT::Logger->debug("Now Trying $groups_query");
+ # $RT::Logger->debug("Now Trying $groups_query");
my $hitcount = $self->_Handle->FetchResult($groups_query);
# }}}
-
- # {{{ if there's a match, the right is granted
+
+ # {{{ if there's a match, the right is granted
if ($hitcount) {
- $_ACL_CACHE->set($hashkey => 1);
+ $_ACL_CACHE->set( $hashkey => 1 );
return (1);
}
+
# Now check the roles query
- $hitcount = $self->_Handle->FetchResult($roles_query);
+ $hitcount = $self->_Handle->FetchResult($roles_query);
if ($hitcount) {
- $_ACL_CACHE->set($hashkey => 1);
+ $_ACL_CACHE->set( $hashkey => 1 );
return (1);
}
+
# We failed to find an acl hit
- $_ACL_CACHE->set($hashkey => -1);
- return (undef);
+ $_ACL_CACHE->set( $hashkey => -1 );
+ return (undef);
}
# }}}
More information about the Rt-commit
mailing list