[Rt-commit] r15744 - in rt/branches/3.999-DANGEROUS: lib/RT/Model
ruz at bestpractical.com
ruz at bestpractical.com
Wed Sep 3 20:26:34 EDT 2008
Author: ruz
Date: Wed Sep 3 20:26:31 2008
New Revision: 15744
Modified:
rt/branches/3.999-DANGEROUS/TODO.schema_upgrade_script
rt/branches/3.999-DANGEROUS/lib/RT/Model/ACE.pm
rt/branches/3.999-DANGEROUS/lib/RT/Model/User.pm
Log:
* add delegations column that references a collection
of ACEs delegeted from this ACE
* fix delete inhertance
Modified: rt/branches/3.999-DANGEROUS/TODO.schema_upgrade_script
==============================================================================
--- rt/branches/3.999-DANGEROUS/TODO.schema_upgrade_script (original)
+++ rt/branches/3.999-DANGEROUS/TODO.schema_upgrade_script Wed Sep 3 20:26:31 2008
@@ -10,3 +10,5 @@
Users.EmailAddress -> Users.email
Users.email_confirmed is new
+
+zeroes in ACL.delegate_by and ACL.delegate_from should be replaced with NULLs
Modified: rt/branches/3.999-DANGEROUS/lib/RT/Model/ACE.pm
==============================================================================
--- rt/branches/3.999-DANGEROUS/lib/RT/Model/ACE.pm (original)
+++ rt/branches/3.999-DANGEROUS/lib/RT/Model/ACE.pm Wed Sep 3 20:26:31 2008
@@ -86,6 +86,7 @@
column object_id => type is 'int', default is '0';
column delegated_by => references RT::Model::Principal;
column delegated_from => references RT::Model::ACE;
+ column delegations => references RT::Model::ACECollection by 'delegated_from';
};
use vars qw (
@@ -322,7 +323,7 @@
RT::Model::Principal->invalidate_acl_cache();
if ($id) {
- return ( $id, _('right Granted') );
+ return ( $id, _('Right granted') );
} else {
return ( 0, _('System error. Right not granted.') );
}
@@ -433,89 +434,63 @@
=head2 delete
Delete this object. This method should ONLY ever be called from RT::Model::User or RT::Model::Group (or from itself)
-If this is being called from within a transaction, specify a true value for the parameter inside_transaction.
-Really, Jifty::DBI should use and/or fake subtransactions
This routine will also recurse and delete any delegations of this right
=cut
-sub delete {
+sub check_delete_rights {
my $self = shift;
- unless ( $self->id ) {
- return ( 0, _('Right not loaded.') );
- }
-
- # A user can delete an ACE if the current user has the right to modify it and it's not a delegated ACE
- # or if it's a delegated ACE and it was delegated by the current user
- unless (
- ( $self->current_user->has_right(
- right => 'ModifyACL',
- object => $self->object
- )
- && $self->__value('delegated_by') == 0
- )
- || ( $self->__value('delegated_by') == $self->current_user->id )
- )
- {
- return ( 0, _('Permission Denied') );
- }
- $self->_delete(@_);
+ # if it's a delegated ACE then delegator can delete it
+ my $delegated = $self->delegated_by;
+ return 1 if $delegated && ($delegated->id||0) == $self->current_user->id;
+ return $self->current_user->has_right(
+ right => 'ModifyACL',
+ object => $self->object,
+ );
+ return 1;
}
# Helper for Delete with no ACL check
-sub _delete {
+sub _delete { return (shift)->__delete( @_ ) }
+sub __delete {
my $self = shift;
- my %args = (
- @_
- );
my $inside_transaction = Jifty->handle->transaction_depth;
- Jifty->handle->begin_transaction() unless $inside_transaction;
-
- my $delegated_from_this = RT::Model::ACECollection->new( current_user => RT->system_user );
- $delegated_from_this->limit(
- column => 'delegated_from',
- operator => '=',
- value => $self->id
- );
+ Jifty->handle->begin_transaction unless $inside_transaction;
- my $delete_succeeded = 1;
- my $submsg;
+ my $delegated_from_this = $self->delegations;
while ( my $delegated_ace = $delegated_from_this->next ) {
- ( $delete_succeeded, $submsg ) = $delegated_ace->_delete;
- last unless ($delete_succeeded);
+ my ($status, $msg) = $delegated_ace->__delete;
+ unless ( $status ) {
+ Jifty->handle->rollback() unless $inside_transaction;
+ return ( 0, _('Right could not be revoked') );
+ }
}
- unless ($delete_succeeded) {
- Jifty->handle->rollback() unless $inside_transaction;
+ my ($status, $msg) = $self->SUPER::__delete(@_);
+ unless ( $status ) {
+ Jifty->handle->rollback unless $inside_transaction;
return ( 0, _('Right could not be revoked') );
}
- my ( $val, $msg ) = $self->SUPER::delete(@_);
-
# If we're revoking delegation rights (see above), we may need to
# revoke all rights delegated by the recipient.
- if ($val
- and ( $self->right_name() eq 'DelegateRights'
- or $self->right_name() eq 'SuperUser' )
- )
- {
- $val = $self->principal_object->_cleanup_invalid_delegations;
- }
-
- if ($val) {
-
- #Clear the key cache. TODO someday we may want to just clear a little bit of the keycache space.
- # TODO what about the groups key cache?
- RT::Model::Principal->invalidate_acl_cache();
- Jifty->handle->commit() unless $inside_transaction;
- return ( $val, _('Right revoked') );
+ my $right = $self->__value('right_name');
+ if ( $right eq 'DelegateRights' || $right eq 'SuperUser' ) {
+ my ($status) = $self->principal_object->_cleanup_invalid_delegations;
+ unless ( $status ) {
+ Jifty->handle->rollback unless $inside_transaction;
+ return ( 0, _('Right could not be revoked') );
+ }
}
- Jifty->handle->rollback() unless $inside_transaction;
- return ( 0, _('Right could not be revoked') );
+ # Clear the key cache. TODO someday we may want to just clear a little bit of the keycache space.
+ # TODO what about the groups key cache?
+ RT::Model::Principal->invalidate_acl_cache();
+ Jifty->handle->commit unless $inside_transaction;
+ return ( 1, _('Right revoked') );
}
@@ -628,7 +603,7 @@
sub _set {
my $self = shift;
- return ( 0, _("ACEs can only be Created and deleted.") );
+ return ( 0, _("ACEs can only be created and deleted.") );
}
Modified: rt/branches/3.999-DANGEROUS/lib/RT/Model/User.pm
==============================================================================
--- rt/branches/3.999-DANGEROUS/lib/RT/Model/User.pm (original)
+++ rt/branches/3.999-DANGEROUS/lib/RT/Model/User.pm Wed Sep 3 20:26:31 2008
@@ -1387,4 +1387,3 @@
}
1;
-
More information about the Rt-commit
mailing list