[Rt-commit] r17596 - in rt/branches/3.999-DANGEROUS: . lib/RT lib/RT/Model lib/RT/Shredder share/html/User/Elements t/api t/delegation
jesse at bestpractical.com
jesse at bestpractical.com
Tue Jan 6 15:21:41 EST 2009
Author: jesse
Date: Tue Jan 6 15:21:40 2009
New Revision: 17596
Removed:
rt/branches/3.999-DANGEROUS/share/html/User/Delegation.html
rt/branches/3.999-DANGEROUS/share/html/User/Elements/DelegateRights
rt/branches/3.999-DANGEROUS/t/api/ace.t
rt/branches/3.999-DANGEROUS/t/delegation/
Modified:
rt/branches/3.999-DANGEROUS/ (props changed)
rt/branches/3.999-DANGEROUS/TODO.schema_upgrade_script
rt/branches/3.999-DANGEROUS/lib/RT/Model/ACE.pm
rt/branches/3.999-DANGEROUS/lib/RT/Model/ACECollection.pm
rt/branches/3.999-DANGEROUS/lib/RT/Model/CachedGroupMember.pm
rt/branches/3.999-DANGEROUS/lib/RT/Model/Group.pm
rt/branches/3.999-DANGEROUS/lib/RT/Model/GroupMember.pm
rt/branches/3.999-DANGEROUS/lib/RT/Model/Principal.pm
rt/branches/3.999-DANGEROUS/lib/RT/Model/User.pm
rt/branches/3.999-DANGEROUS/lib/RT/Shredder/CachedGroupMember.pm
rt/branches/3.999-DANGEROUS/lib/RT/Shredder/GroupMember.pm
rt/branches/3.999-DANGEROUS/lib/RT/System.pm
rt/branches/3.999-DANGEROUS/share/html/User/Elements/Tabs
Log:
r56629 at 17h: jesse | 2009-01-06 15:19:03 -0500
* Removed Delegations.
Modified: rt/branches/3.999-DANGEROUS/TODO.schema_upgrade_script
==============================================================================
--- rt/branches/3.999-DANGEROUS/TODO.schema_upgrade_script (original)
+++ rt/branches/3.999-DANGEROUS/TODO.schema_upgrade_script Tue Jan 6 15:21:40 2009
@@ -1,3 +1,6 @@
+Remove any rights granted by way of a delegation
+remove delegation parameters
+
Attachments.parent - replace all 0 values with NULLs
Attachments.transaction_id - is renamed to 'transaction'
* this has been reverted as transaction is reserved in SQLite
Modified: rt/branches/3.999-DANGEROUS/lib/RT/Model/ACE.pm
==============================================================================
--- rt/branches/3.999-DANGEROUS/lib/RT/Model/ACE.pm (original)
+++ rt/branches/3.999-DANGEROUS/lib/RT/Model/ACE.pm Tue Jan 6 15:21:40 2009
@@ -84,9 +84,6 @@
object_type => max_length is 25,
type is 'varchar(25)', default is '';
column object_id => type is 'int', default is '0';
- column delegated_by => references RT::Model::Principal;
- column delegated_from => references RT::Model::ACE;
- column delegations => references RT::Model::ACECollection by 'delegated_from';
};
use vars qw (
@@ -186,8 +183,6 @@
principal_id => The id of an RT::Model::Principal object
type => "User" "Group" or any Role type
right_name => the name of a right. in any case
- delegated_by => The Principal->id of the user delegating the right
- delegated_from => The id of the ACE which this new ACE is delegated from
Either:
@@ -302,8 +297,6 @@
right_name => $args{'right_name'},
object_type => $args{'object_type'},
object_id => $args{'object_id'},
- delegated_by => 0,
- delegated_from => 0,
);
if ( $self->id ) {
return ( 0, _('That principal already has that right') );
@@ -315,8 +308,6 @@
right_name => $args{'right_name'},
object_type => ref( $args{'object'} ),
object_id => $args{'object'}->id,
- delegated_by => 0,
- delegated_from => 0,
);
#Clear the key cache. TODO someday we may want to just clear a little bit of the keycache space.
@@ -329,122 +320,15 @@
}
}
-
-
-=head2 delegate <PARAMS>
-
-This routine delegates the current ACE to a principal specified by the
-B<principal_id> parameter.
-
-Returns an error if the current user doesn't have the right to be delegated
-or doesn't have the right to delegate rights.
-
-Always returns a tuple of (ReturnValue, Message)
-
-
-=cut
-
-sub delegate {
- my $self = shift;
- my %args = (
- principal_id => undef,
- @_
- );
-
- unless ( $self->id ) {
- return ( 0, _("Right not loaded.") );
- }
- my $princ_obj;
- ( $princ_obj, $args{'type'} ) = $self->canonicalize_principal( $args{'principal_id'}, $args{'type'} );
-
- unless ( $princ_obj->id ) {
- return ( 0, _( 'Principal %1 not found.', $args{'principal_id'} ) );
- }
-
- # }}}
-
- # {{{ Check the ACL
-
- # First, we check to se if the user is delegating rights and
- # they have the permission to
- unless (
- $self->current_user->has_right(
- right => 'DelegateRights',
- object => $self->object
- )
- )
- {
- return ( 0, _("Permission Denied") );
- }
-
- unless ( $self->principal->is_group ) {
- return ( 0, _("System Error") );
- }
- unless ( $self->principal->object->has_member_recursively( $self->current_user->principal ) ) {
- return ( 0, _("Permission Denied") );
- }
-
- # }}}
-
- my $concurrency_check = RT::Model::ACE->new( current_user => RT->system_user );
- $concurrency_check->load( $self->id );
- unless ( $concurrency_check->id ) {
- Jifty->log->fatal("Trying to delegate a right which had already been deleted");
- return ( 0, _('Permission Denied') );
- }
-
- my $delegated_ace = RT::Model::ACE->new;
-
- # Make sure the right doesn't already exist.
- $delegated_ace->load_by_cols(
- principal_id => $princ_obj->id,
- type => 'Group',
- right_name => $self->__value('right_name'),
- object_type => $self->__value('object_type'),
- object_id => $self->__value('object_id'),
- delegated_by => $self->current_user->id,
- delegated_from => $self->id
- );
- if ( $delegated_ace->id ) {
- return ( 0, _('That principal already has that right') );
- }
- my $id = $delegated_ace->SUPER::create(
- principal_id => $princ_obj->id,
- type => 'Group', # do we want to hardcode this?
- right_name => $self->__value('right_name'),
- object_type => $self->__value('object_type'),
- object_id => $self->__value('object_id'),
- delegated_by => $self->current_user->id,
- delegated_from => $self->id
- );
-
- #Clear the key cache. TODO someday we may want to just clear a little bit of the keycache space.
- # TODO what about the groups key cache?
- RT::Model::Principal->invalidate_acl_cache();
-
- if ( $id > 0 ) {
- return ( $id, _('right Delegated') );
- } else {
- return ( 0, _('System error. Right not delegated.') );
- }
-}
-
-
-
=head2 delete
Delete this object. This method should ONLY ever be called from RT::Model::User or RT::Model::Group (or from itself)
-This routine will also recurse and delete any delegations of this right
-
=cut
sub check_delete_rights {
my $self = shift;
- # if it's a delegated ACE then delegator can delete it
- my $delegated = $self->delegated_by;
- return 1 if $delegated && ($delegated->id||0) == $self->current_user->id;
return $self->current_user->has_right(
right => 'ModifyACL',
object => $self->object,
@@ -477,32 +361,12 @@
my $inside_transaction = Jifty->handle->transaction_depth;
Jifty->handle->begin_transaction unless $inside_transaction;
- my $delegated_from_this = $self->delegations;
- while ( my $delegated_ace = $delegated_from_this->next ) {
- my ($status, $msg) = $delegated_ace->__delete;
- unless ( $status ) {
- Jifty->handle->rollback() unless $inside_transaction;
- return ( 0, _('Right could not be revoked') );
- }
- }
-
my ($status, $msg) = $self->SUPER::__delete(@_);
unless ( $status ) {
Jifty->handle->rollback unless $inside_transaction;
return ( 0, _('Right could not be revoked') );
}
- # If we're revoking delegation rights (see above), we may need to
- # revoke all rights delegated by the recipient.
- my $right = $self->__value('right_name');
- if ( $right eq 'DelegateRights' || $right eq 'SuperUser' ) {
- my ($status) = $self->principal->_cleanup_invalid_delegations;
- unless ( $status ) {
- Jifty->handle->rollback unless $inside_transaction;
- return ( 0, _('Right could not be revoked') );
- }
- }
-
# Clear the key cache. TODO someday we may want to just clear a little bit of the keycache space.
# TODO what about the groups key cache?
RT::Model::Principal->invalidate_acl_cache();
@@ -610,9 +474,7 @@
sub _value {
my $self = shift;
- if ( $self->__value('delegated_by') eq $self->current_user->id ) {
- return ( $self->__value(@_) );
- } elsif ( $self->principal->is_group
+ if ( $self->principal->is_group
&& $self->principal->object->has_member_recursively( $self->current_user->principal ) )
{
return ( $self->__value(@_) );
Modified: rt/branches/3.999-DANGEROUS/lib/RT/Model/ACECollection.pm
==============================================================================
--- rt/branches/3.999-DANGEROUS/lib/RT/Model/ACECollection.pm (original)
+++ rt/branches/3.999-DANGEROUS/lib/RT/Model/ACECollection.pm Tue Jan 6 15:21:40 2009
@@ -213,71 +213,6 @@
-=head2 exclude_delegated_rights
-
-Don't list rights which have been delegated.
-
-=cut
-
-sub exclude_delegated_rights {
- my $self = shift;
- $self->delegated_by( id => 0 );
- $self->delegated_from( id => 0 );
-}
-
-
-
-=head2 delegated_by { id => undef }
-
-Limit the ACL to rights delegated by the principal whose Principal id is
-B<Id>
-
-Id is not optional.
-
-=cut
-
-sub delegated_by {
- my $self = shift;
- my %args = (
- id => undef,
- @_
- );
- $self->limit(
- column => 'delegated_by',
- operator => '=',
- value => $args{'id'},
- entry_aggregator => 'OR'
- );
-
-}
-
-
-
-=head2 delegated_from { id => undef }
-
-Limit the ACL to rights delegate from the ACE which has the id specified
-by the id parameter.
-
-Id is not optional.
-
-=cut
-
-sub delegated_from {
- my $self = shift;
- my %args = (
- id => undef,
- @_
- );
- $self->limit(
- column => 'delegated_from',
- operator => '=',
- value => $args{'id'},
- entry_aggregator => 'OR'
- );
-
-}
-
-
sub next {
my $self = shift;
Modified: rt/branches/3.999-DANGEROUS/lib/RT/Model/CachedGroupMember.pm
==============================================================================
--- rt/branches/3.999-DANGEROUS/lib/RT/Model/CachedGroupMember.pm (original)
+++ rt/branches/3.999-DANGEROUS/lib/RT/Model/CachedGroupMember.pm Tue Jan 6 15:21:40 2009
@@ -244,35 +244,17 @@
my $acl = RT::Model::ACECollection->new( current_user => RT->system_user );
$acl->limit_to_principal( id => $self->group_id );
- while ( my $this_ace = $acl->next() ) {
-
- # Find all ACEs which $self-MemberObj has delegated from $this_ace
- my $delegations = RT::Model::ACECollection->new( current_user => RT->system_user );
- $delegations->delegated_from( id => $this_ace->id );
- $delegations->delegated_by( id => $self->member_id );
-
- # For each delegation
- while ( my $delegation = $delegations->next ) {
-
- # WHACK IT
- my $del_ret = $delegation->_delete;
- unless ($del_ret) {
- Jifty->log->fatal( "Couldn't delete an ACL delegation that we know exists " . $delegation->id );
- return (undef);
- }
- }
- }
}
return ($err);
}
-=head2 setdisabled
+=head2 set_disabled
-Setdisableds the current CachedGroupMember from the group it's in and cascades
-the Setdisabled to all submembers. This routine could be completely excised if
-mysql supported foreign keys with cascading Setdisableds.
+disables the current CachedGroupMember from the group it's in and cascades
+the set_disabled to all submembers. This routine could be completely excised if
+mysql supported foreign keys with cascading deletes.
=cut
@@ -321,24 +303,6 @@
my $acl = RT::Model::ACECollection->new( current_user => RT->system_user );
$acl->limit_to_principal( id => $self->group_id );
- while ( my $this_ace = $acl->next() ) {
-
- # Find all ACEs which $self-MemberObj has delegated from $this_ace
- my $delegations = RT::Model::ACECollection->new( current_user => RT->system_user );
- $delegations->delegated_from( id => $this_ace->id );
- $delegations->delegated_by( id => $self->member_id );
-
- # For each delegation, blow away the delegation
- while ( my $delegation = $delegations->next ) {
-
- # WHACK IT
- my $del_ret = $delegation->_delete;
- unless ($del_ret) {
- Jifty->log->fatal( "Couldn't delete an ACL delegation that we know exists " . $delegation->id );
- return (undef);
- }
- }
- }
}
return ($err);
}
Modified: rt/branches/3.999-DANGEROUS/lib/RT/Model/Group.pm
==============================================================================
--- rt/branches/3.999-DANGEROUS/lib/RT/Model/Group.pm (original)
+++ rt/branches/3.999-DANGEROUS/lib/RT/Model/Group.pm Tue Jan 6 15:21:40 2009
@@ -92,7 +92,6 @@
$RIGHTS = {
AdminGroup => 'Modify group metadata or delete group', # loc_pair
AdminGroupMembership => 'Modify membership roster for this group', # loc_pair
- DelegateRights => "Delegate specific rights which have been granted to you.", # loc_pair
ModifyOwnMembership => 'join or leave this group', # loc_pair
EditSavedSearches => 'Edit saved searches for this group', # loc_pair
ShowSavedSearches => 'Display saved searches for this group', # loc_pair
@@ -528,9 +527,7 @@
=head2 create_personal_group { principal_id => PRINCIPAL_ID, name => "name", description => "description"}
-A helper subroutine which creates a personal group. Generally,
-personal groups are used for ACL delegation and adding to ticket roles
-principal_id defaults to the current user's principal id.
+A helper subroutine which creates a personal group.
Returns a tuple of (Id, Message). If id is 0, the create failed
@@ -629,7 +626,6 @@
# Remove this group from anything it's a member of.
# Remove all cached members of this group
# Remove any rights granted to this group
- # remove any rights delegated by way of this group
return ( $self->SUPER::delete(@_) );
}
@@ -1138,53 +1134,6 @@
-=head2 _cleanup_invalid_delegations
-
-Revokes all ACE entries delegated by members of this group which are
-inconsistent with their current delegation rights. Does not perform
-permission checks. Should only ever be called from inside the RT
-library.
-
-Returns a true value if the deletion succeeded; returns a false value
-and logs an internal error if the deletion fails (should not happen).
-
-=cut
-
-# XXX Currently there is a _cleanup_invalid_delegations method in both
-# RT::Model::User and RT::Model::Group. If the recursive cleanup call for groups is
-# ever unrolled and merged, this code will probably want to be
-# factored out into RT::Model::Principal.
-
-sub _cleanup_invalid_delegations {
- my $self = shift;
- my %args = (
- @_
- );
-
- unless ( $self->id ) {
- Jifty->log->warn("Group not loaded.");
- return (undef);
- }
-
- my $in_trans = Jifty->handle->transaction_depth;
-
- # TODO: Can this be unrolled such that the number of DB queries is constant rather than linear in exploded group size?
- my $members = $self->deep_members_obj();
- $members->limit_to_users();
- Jifty->handle->begin_transaction() unless $in_trans;
- while ( my $member = $members->next() ) {
- my $ret = $member->member_obj->_cleanup_invalid_delegations(
- object => $args{object}
- );
- unless ($ret) {
- Jifty->handle->rollback() unless $in_trans;
- return (undef);
- }
- }
- Jifty->handle->commit() unless $in_trans;
- return (1);
-}
-
sub _set {
Modified: rt/branches/3.999-DANGEROUS/lib/RT/Model/GroupMember.pm
==============================================================================
--- rt/branches/3.999-DANGEROUS/lib/RT/Model/GroupMember.pm (original)
+++ rt/branches/3.999-DANGEROUS/lib/RT/Model/GroupMember.pm Tue Jan 6 15:21:40 2009
@@ -321,16 +321,6 @@
return (undef);
}
- # Since this deletion may have changed the former member's
- # delegation rights, we need to ensure that no invalid delegations
- # remain.
- ( $err, $msg ) = $self->member_obj->_cleanup_invalid_delegations;
- unless ($err) {
- Jifty->log->warn( "Unable to revoke delegated rights for principal " . $self->id );
- Jifty->handle->rollback();
- return (undef);
- }
-
#Clear the key cache. TODO someday we may want to just clear a little bit of the keycache space.
# TODO what about the groups key cache?
RT::Model::Principal->invalidate_acl_cache();
Modified: rt/branches/3.999-DANGEROUS/lib/RT/Model/Principal.pm
==============================================================================
--- rt/branches/3.999-DANGEROUS/lib/RT/Model/Principal.pm (original)
+++ rt/branches/3.999-DANGEROUS/lib/RT/Model/Principal.pm Tue Jan 6 15:21:40 2009
@@ -213,35 +213,6 @@
-=head2 sub _cleanup_invalid_delegations
-
-Revokes all ACE entries delegated by this principal which are
-inconsistent with this principal's current delegation rights. Does
-not perform permission checks, but takes no action and returns success
-if this principal still retains DelegateRights. Should only ever be
-called from inside the RT library.
-
-If this principal is a group, recursively calls this method on each
-cached user member of itself.
-
-Returns a true value if the deletion succeeded; returns a false value
-and logs an internal error if the deletion fails (should not happen).
-
-=cut
-
-# This is currently just a stub for the methods of the same name in
-# RT::Model::User and RT::Model::Group.
-
-sub _cleanup_invalid_delegations {
- my $self = shift;
- unless ( $self->id ) {
- Jifty->log->warn("Principal not loaded.");
- return (undef);
- }
- return ( $self->object->_cleanup_invalid_delegations(@_) );
-}
-
-
=head2 sub has_right (right => 'right' object => undef)
Modified: rt/branches/3.999-DANGEROUS/lib/RT/Model/User.pm
==============================================================================
--- rt/branches/3.999-DANGEROUS/lib/RT/Model/User.pm (original)
+++ rt/branches/3.999-DANGEROUS/lib/RT/Model/User.pm Tue Jan 6 15:21:40 2009
@@ -1128,79 +1128,6 @@
}
-=head2 _cleanup_invalid_delegations
-
-Revokes all ACE entries delegated by this user which are inconsistent
-with their current delegation rights. Does not perform permission
-checks. Should only ever be called from inside the RT library.
-
-Returns a true value if the deletion succeeded; returns a false value
-and logs an internal error if the deletion fails (should not happen).
-
-=cut
-
-# XXX Currently there is a _cleanup_invalid_delegations method in both
-# RT::Model::User and RT::Model::Group. If the recursive cleanup call for groups is
-# ever unrolled and merged, this code will probably want to be
-# factored out into RT::Model::Principal.
-
-sub _cleanup_invalid_delegations {
- my $self = shift;
- my %args = (
- @_
- );
-
- unless ( $self->id ) {
- Jifty->log->warn("User not loaded.");
- return (undef);
- }
-
- my $in_trans = Jifty->handle->transaction_depth;
-
- return (1)
- if (
- $self->has_right(
- right => 'DelegateRights',
- object => RT->system
- )
- );
-
- # Look up all delegation rights currently posessed by this user.
- my $deleg_acl = RT::Model::ACECollection->new( current_user => RT->system_user );
- $deleg_acl->limit_to_principal(
- type => 'User',
- id => $self->principal_id,
- include_group_membership => 1
- );
- $deleg_acl->limit(
- column => 'right_name',
- operator => '=',
- value => 'DelegateRights'
- );
- my @allowed_deleg_objects = map { $_->object() } @{ $deleg_acl->items_array_ref() };
-
- # Look up all rights delegated by this principal which are
- # inconsistent with the allowed delegation objects.
- my $acl_to_del = RT::Model::ACECollection->new( current_user => RT->system_user );
- $acl_to_del->delegated_by( id => $self->id );
- foreach (@allowed_deleg_objects) {
- $acl_to_del->limitnot_object($_);
- }
-
- # Delete all disallowed delegations
- while ( my $ace = $acl_to_del->next() ) {
- my $ret = $ace->_delete;
- unless ($ret) {
- Jifty->handle->rollback() unless $in_trans;
- Jifty->log->warn( "Couldn't delete delegated ACL entry " . $ace->id );
- return (undef);
- }
- }
-
- Jifty->handle->commit() unless $in_trans;
- return (1);
-}
-
sub _set {
my $self = shift;
Modified: rt/branches/3.999-DANGEROUS/lib/RT/Shredder/CachedGroupMember.pm
==============================================================================
--- rt/branches/3.999-DANGEROUS/lib/RT/Shredder/CachedGroupMember.pm (original)
+++ rt/branches/3.999-DANGEROUS/lib/RT/Shredder/CachedGroupMember.pm Tue Jan 6 15:21:40 2009
@@ -73,27 +73,6 @@
$objs->limit( column => 'id', operator => '!=', value => $self->id );
push( @$list, $objs );
- # principal lost group membership and lost some rights which he could delegate to
- # some body
-
- # XXX: Here is problem cause has_member_recursively would return true allways
- # cause we didn't delete anything yet. :(
- # if pricipal is not member anymore(could be via other groups) then proceed
- if ( $self->group_obj->object->has_member_recursively( $self->member_obj ) ) {
- my $acl = RT::Model::ACECollection->new;
- $acl->limit_to_principal( id => $self->group_id );
-
- # look into all rights that have group
- while ( my $ace = $acl->next ) {
- my $delegations = RT::Model::ACECollection->new;
- $delegations->delegated_from( id => $ace->id );
- $delegations->delegated_by( id => $self->member_id );
- push( @$list, $delegations );
- }
- }
-
- # XXX: Do we need to delete records if user lost right 'DelegateRights'?
-
$deps->_push_dependencies(
base_object => $self,
flags => DEPENDS_ON,
Modified: rt/branches/3.999-DANGEROUS/lib/RT/Shredder/GroupMember.pm
==============================================================================
--- rt/branches/3.999-DANGEROUS/lib/RT/Shredder/GroupMember.pm (original)
+++ rt/branches/3.999-DANGEROUS/lib/RT/Shredder/GroupMember.pm Tue Jan 6 15:21:40 2009
@@ -74,7 +74,6 @@
$objs->limit( column => 'immediate_parent', value => $self->group_id );
push( @$list, $objs );
- # XXX: right delegations should be cleaned here
$deps->_push_dependencies(
base_object => $self,
Modified: rt/branches/3.999-DANGEROUS/lib/RT/System.pm
==============================================================================
--- rt/branches/3.999-DANGEROUS/lib/RT/System.pm (original)
+++ rt/branches/3.999-DANGEROUS/lib/RT/System.pm Tue Jan 6 15:21:40 2009
@@ -80,7 +80,6 @@
AdminOwnPersonalGroups => 'Create, delete and modify the members of personal groups', # loc_pair
AdminUsers => 'Create, delete and modify users', # loc_pair
ModifySelf => "Modify one's own RT account", # loc_pair
- DelegateRights => "Delegate specific rights which have been granted to you.", # loc_pair
ShowConfigTab => "show Configuration tab", # loc_pair
LoadSavedSearch => "allow loading of saved searches", # loc_pair
CreateSavedSearch => "allow creation of saved searches", # loc_pair
Modified: rt/branches/3.999-DANGEROUS/share/html/User/Elements/Tabs
==============================================================================
--- rt/branches/3.999-DANGEROUS/share/html/User/Elements/Tabs (original)
+++ rt/branches/3.999-DANGEROUS/share/html/User/Elements/Tabs Tue Jan 6 15:21:40 2009
@@ -64,9 +64,6 @@
g => { title => _('Personal Groups'),
path => 'User/Groups/',
},
- h => { title => _('Delegation'),
- path => 'User/Delegation.html',
- },
f => { title => _('Search options'),
path => 'Prefs/SearchOptions.html',
},
More information about the Rt-commit
mailing list