[Rt-commit] r13632 - in rt/3.8/trunk: . share/html/Dashboards

sartak at bestpractical.com sartak at bestpractical.com
Thu Jun 26 20:07:23 EDT 2008


Author: sartak
Date: Thu Jun 26 20:07:23 2008
New Revision: 13632

Modified:
   rt/3.8/trunk/   (props changed)
   rt/3.8/trunk/lib/RT/SharedSetting.pm
   rt/3.8/trunk/share/html/Dashboards/Modify.html
   rt/3.8/trunk/share/html/Dashboards/Queries.html
   rt/3.8/trunk/share/html/Dashboards/Subscription.html

Log:
 r63277 at onn:  sartak | 2008-06-26 17:30:23 -0400
 Remove the ACL checks from the view, they need to be in the API (and improved to handle groups)


Modified: rt/3.8/trunk/lib/RT/SharedSetting.pm
==============================================================================
--- rt/3.8/trunk/lib/RT/SharedSetting.pm	(original)
+++ rt/3.8/trunk/lib/RT/SharedSetting.pm	Thu Jun 26 20:07:23 2008
@@ -177,13 +177,7 @@
     return (0, $self->loc("Failed to load object for [_1]", $privacy))
         unless $object;
 
-    if ( $object->isa('RT::System') ) {
-        return (0, $self->loc("No permission to save system-wide [_1]", $self->ObjectName))
-            unless $self->CurrentUser->HasRight(
-                Object => $RT::System,
-                Right  => 'SuperUser',
-            );
-    }
+    # XXX: check acls
 
     my ($att_id, $att_msg) = $self->SaveAttribute($object, \%args);
 
@@ -363,36 +357,6 @@
     return 0;
 }
 
-sub CurrentUserCanSee {
-    my $self = shift;
-    my $privacy = $self->Privacy;
-
-    if (!defined($privacy)) {
-        $RT::Logger->error("CurrentUserCanSee called with a dashboard without privacy.");
-        return 0;
-    }
-
-    return 1 if $privacy =~ /^RT::System/;
-
-    return 1 if $privacy =~ /^RT::User-(\d+)/
-             && $self->CurrentUser->Id == $1
-             && $self->CurrentUser->HasRight(
-                    Right  => 'SeeDashboard',
-                    Object => $RT::System,
-                );
-
-    if ($privacy =~ /^RT::Group-(\d+)/) {
-        my $group = RT::Group->new($self->CurrentUser);
-        $group->Load($1);
-        return 1 if $self->CurrentUser->HasRight(
-                        Right  => 'SeeDashboard',
-                        Object => $group,
-                    );
-    }
-
-    return 0;
-}
-
 ### Internal methods
 
 # _GetObject: helper routine to load the correct object whose parameters

Modified: rt/3.8/trunk/share/html/Dashboards/Modify.html
==============================================================================
--- rt/3.8/trunk/share/html/Dashboards/Modify.html	(original)
+++ rt/3.8/trunk/share/html/Dashboards/Modify.html	Thu Jun 26 20:07:23 2008
@@ -88,7 +88,7 @@
 my $Dashboard = RT::Dashboard->new($session{'CurrentUser'});
 my @privacies = $Dashboard->_PrivacyObjects(Modify => 1);
 
-my $can_delete = $session{'CurrentUser'}->HasRight(Right => 'DeleteDashboard', Object => $RT::System);
+my $can_delete = 1; # XXX: acl check
 
 # user went directly to Modify.html
 $Create = 1 if !$id;
@@ -99,23 +99,18 @@
 }
 else {
     if ($id eq 'new') {
-        my ($val, $msg);
         $tried_create = 1;
 
-        if ($session{'CurrentUser'}->HasRight(Right => 'ModifyDashboard', Object => $RT::System)) {
-            ($val, $msg) = $Dashboard->Save(
-                Name                  => $ARGS{'Name'},
-                Privacy               => $ARGS{'Privacy'},
-            );
-            push @results, $msg;
-        }
-        else {
-            $msg = "No permission to create dashboards";
-        }
+        my ($val, $msg) = $Dashboard->Save(
+            Name    => $ARGS{'Name'},
+            Privacy => $ARGS{'Privacy'},
+        );
 
         if (!$val) {
             Abort(loc("Dashboard could not be created: [_1]", $msg));
         }
+
+        push @results, $msg;
         $id = $Dashboard->Id;
     }
     else {
@@ -136,14 +131,8 @@
 }
 
 if (!$Create && !$tried_create && $id && $ARGS{'Save'}) {
-    my ($ok, $msg);
-    if ($session{'CurrentUser'}->HasRight(Right => 'ModifyDashboard', Object => $RT::System)) {
-        ($ok, $msg) = $Dashboard->Update(Privacy  => $ARGS{'Privacy'},
-                                         Name     => $ARGS{'Name'});
-    }
-    else {
-        $msg = "No permission to update dashboards";
-    }
+    my ($ok, $msg) = $Dashboard->Update(Privacy  => $ARGS{'Privacy'},
+                                        Name     => $ARGS{'Name'});
 
     if ($ok) {
         push @results, loc("Dashboard updated");
@@ -162,8 +151,6 @@
     RT::Interface::Web::Redirect(RT->Config->Get('WebURL')."Dashboards/index.html?Deleted=$id");
 
 }
-
-Abort(loc("Permission denied")) unless $Dashboard->CurrentUserCanSee;
 </%INIT>
 
 <%ARGS>

Modified: rt/3.8/trunk/share/html/Dashboards/Queries.html
==============================================================================
--- rt/3.8/trunk/share/html/Dashboards/Queries.html	(original)
+++ rt/3.8/trunk/share/html/Dashboards/Queries.html	Thu Jun 26 20:07:23 2008
@@ -134,13 +134,7 @@
             [ reverse(split /-/, $_, 2), $desc_of{$_} ]
         } @{ $self->{Current} } ];
 
-        my ($ok, $msg);
-        if ($session{'CurrentUser'}->HasRight(Right => 'ModifyDashboard', Object => $RT::System)) {
-            ($ok, $msg) = $Dashboard->Update(Searches => $searches);
-        }
-        else {
-            $msg = "No permission to update dashboards";
-        }
+        my ($ok, $msg) = $Dashboard->Update(Searches => $searches);
 
         if ($ok) {
             push @results, loc("Dashboard updated");

Modified: rt/3.8/trunk/share/html/Dashboards/Subscription.html
==============================================================================
--- rt/3.8/trunk/share/html/Dashboards/Subscription.html	(original)
+++ rt/3.8/trunk/share/html/Dashboards/Subscription.html	Thu Jun 26 20:07:23 2008
@@ -238,18 +238,13 @@
     }
     # create
     else {
-        if ($session{'CurrentUser'}->HasRight(Right => 'SubscribeDashboard', Object => $RT::System)) {
-            ($val, $msg) = $SubscriptionObj->Create(
-                Name        => 'Subscription',
-                Description => 'Subscription to dashboard ' . $DashboardId,
-                ContentType => 'storable',
-                Object      => $session{'CurrentUser'}->UserObj,
-                Content     => \%fields,
-            );
-        }
-        else {
-            ($val, $msg) = (0, "No permission to subscribe to dashboards");
-        }
+        my ($val, $msg) = $SubscriptionObj->Create(
+            Name        => 'Subscription',
+            Description => 'Subscription to dashboard ' . $DashboardId,
+            ContentType => 'storable',
+            Object      => $session{'CurrentUser'}->UserObj,
+            Content     => \%fields,
+        );
         if ($val) {
             push @results, loc("Subscribed to dashboard [_1]", $DashboardObj->Name);
             push @results, loc("Warning: you have no email address set, so you will not receive this dashboard until you have it set")


More information about the Rt-commit mailing list