[Rt-commit] r13598 - in rt/3.8/trunk: . share/html/Dashboards share/html/Dashboards/Elements

[sartak at bestpractical.com]

Author: sartak
Date: Wed Jun 25 19:05:07 2008
New Revision: 13598

Modified:
   rt/3.8/trunk/   (props changed)
   rt/3.8/trunk/lib/RT/Dashboard.pm
   rt/3.8/trunk/lib/RT/SharedSetting.pm
   rt/3.8/trunk/share/html/Dashboards/Elements/Tabs
   rt/3.8/trunk/share/html/Dashboards/Modify.html

Log:
 r63247 at onn:  sartak | 2008-06-25 19:04:31 -0400
 Add a SharedSetting->CurrentUserCanSee


Modified: rt/3.8/trunk/lib/RT/Dashboard.pm
==============================================================================
--- rt/3.8/trunk/lib/RT/Dashboard.pm	(original)
+++ rt/3.8/trunk/lib/RT/Dashboard.pm	Wed Jun 25 19:05:07 2008
@@ -219,14 +219,14 @@
 }
 
 # _PrivacyObjects: returns a list of objects that can be used to load
-# dashboards from. If the Write parameter is true, then check write rights.
+# dashboards from. If the Modify parameter is true, then check write rights.
 # Otherwise, check read rights.
 
 sub _PrivacyObjects {
     my $self = shift;
     my %args = @_;
 
-    my ($local_right, $system_right) = $args{Write}
+    my ($local_right, $system_right) = $args{Modify}
                                      ? ('ModifyDashboard', 'SuperUser')
                                      : ('SeeDashboard', undef);
 

Modified: rt/3.8/trunk/lib/RT/SharedSetting.pm
==============================================================================
--- rt/3.8/trunk/lib/RT/SharedSetting.pm	(original)
+++ rt/3.8/trunk/lib/RT/SharedSetting.pm	Wed Jun 25 19:05:07 2008
@@ -327,6 +327,7 @@
 =head2 IsVisibleTo Privacy
 
 Returns true if the setting is visible to all principals of the given privacy.
+This does not deal with ACLs, this only looks at membership.
 
 =cut
 
@@ -362,6 +363,31 @@
     return 0;
 }
 
+sub CurrentUserCanSee {
+    my $self = shift;
+    my $privacy = $self->Privacy;
+
+    return 1 if $privacy =~ /^RT::System/;
+
+    return 1 if $privacy =~ /^RT::User-(\d+)/
+             && $self->CurrentUser->Id == $1
+             && $self->CurrentUser->HasRight(
+                    Right  => 'SeeDashboard',
+                    Object => $RT::System,
+                );
+
+    if ($privacy =~ /^RT::Group-(\d+)/) {
+        my $group = RT::Group->new($self->CurrentUser);
+        $group->Load($1);
+        return 1 if $self->CurrentUser->HasRight(
+                        Right  => 'SeeDashboard',
+                        Object => $group,
+                    );
+    }
+
+    return 0;
+}
+
 ### Internal methods
 
 # _GetObject: helper routine to load the correct object whose parameters

Modified: rt/3.8/trunk/share/html/Dashboards/Elements/Tabs
==============================================================================
--- rt/3.8/trunk/share/html/Dashboards/Elements/Tabs	(original)
+++ rt/3.8/trunk/share/html/Dashboards/Elements/Tabs	Wed Jun 25 19:05:07 2008
@@ -96,7 +96,7 @@
                  path  => "Dashboards/index.html" };
 
 my $dashboard = RT::Dashboard->new($session{'CurrentUser'});
-my @objects = $dashboard->_PrivacyObjects(Write => 1);
+my @objects = $dashboard->_PrivacyObjects(Modify => 1);
 
 if (@objects) {
     $tabs->{"B"} = { title     => loc('New dashboard'),

Modified: rt/3.8/trunk/share/html/Dashboards/Modify.html
==============================================================================
--- rt/3.8/trunk/share/html/Dashboards/Modify.html	(original)
+++ rt/3.8/trunk/share/html/Dashboards/Modify.html	Wed Jun 25 19:05:07 2008
@@ -86,7 +86,7 @@
 use RT::Dashboard;
 
 my $Dashboard = RT::Dashboard->new($session{'CurrentUser'});
-my @privacies = $Dashboard->_PrivacyObjects(Write => 1);
+my @privacies = $Dashboard->_PrivacyObjects(Modify => 1);
 
 my $can_delete = $session{'CurrentUser'}->HasRight(Right => 'DeleteDashboard', Object => $RT::System);
 
@@ -163,6 +163,7 @@
 
 }
 
+Abort(loc("Permission denied")) unless $Dashboard->CurrentUserCanSee;
 </%INIT>
 
 <%ARGS>