[Rt-commit] r18971 - in rt/3.999/trunk: lib/RT lib/RT/Model t/api
ruz at bestpractical.com
ruz at bestpractical.com
Fri Mar 27 19:25:49 EDT 2009
Author: ruz
Date: Fri Mar 27 19:25:48 2009
New Revision: 18971
Added:
rt/3.999/trunk/lib/RT/IsPrincipalCollection.pm
Modified:
rt/3.999/trunk/lib/RT/Model/GroupCollection.pm
rt/3.999/trunk/lib/RT/Model/UserCollection.pm
rt/3.999/trunk/lib/RT/ScripAction/CreateTickets.pm
rt/3.999/trunk/t/api/groups.t
Log:
* add lib/RT/IsPrincipalCollection.pm
* move all who_have_*_right there
* move principals_alias there
Added: rt/3.999/trunk/lib/RT/IsPrincipalCollection.pm
==============================================================================
--- (empty file)
+++ rt/3.999/trunk/lib/RT/IsPrincipalCollection.pm Fri Mar 27 19:25:48 2009
@@ -0,0 +1,401 @@
+use strict;
+use warnings;
+
+package RT::IsPrincipalCollection;
+
+
+=head2 principals_alias
+
+Returns the string that represents this Users object's primary "Principals" alias.
+
+=cut
+
+sub principals_alias {
+ my $self = shift;
+
+ return $self->{'princ_alias'} if $self->{'princ_alias'};
+
+ $self->{'princ_alias'} = $self->new_alias('Principals');
+ $self->join(
+ alias1 => 'main',
+ column1 => 'id',
+ alias2 => $self->principals_alias,
+ column2 => 'id'
+ );
+ return $self->{'princ_alias'};
+}
+
+=head2 limit_to_enabled
+
+Only find items that haven\'t been disabled
+
+=cut
+
+sub limit_to_enabled {
+ my $self = shift;
+
+ $self->limit(
+ alias => $self->principals_alias,
+ column => 'disabled',
+ value => '0',
+ operator => '='
+ );
+}
+
+
+
+=head2 member_of
+
+takes one argument, a group's principal id. Limits the returned set
+to members of a given group
+
+=cut
+
+sub member_of {
+ my $self = shift;
+ my $group = shift;
+
+ return _("No group specified") if ( !defined $group );
+
+ my $groupalias = $self->new_alias('CachedGroupMembers');
+
+ # join the principal to the groups table
+ $self->join(
+ alias1 => $self->principals_alias,
+ column1 => 'id',
+ alias2 => $groupalias,
+ column2 => 'member_id',
+ );
+
+ $self->limit(
+ alias => $groupalias,
+ column => 'group_id',
+ value => "$group",
+ operator => "="
+ );
+}
+
+=head2 who_have_right { right => 'name', object => $rt_object , include_superusers => undef, recursive => undef, include_system_rights => undef, equiv_objects => [ ] }
+
+
+find all users who the right right for this group, either individually
+or as members of groups
+
+If passed a queue object, with no id, it will find users who have that right for _any_ queue
+
+=cut
+
+sub who_have_right {
+ my $self = shift;
+ my %args = (
+ right => undef,
+ object => undef,
+ include_system_rights => 1,
+ include_superusers => 0,
+ recursive => 1,
+ equiv_objects => [],
+ @_
+ );
+
+ if ( defined $args{'object_type'} || defined $args{'object_id'} ) {
+ Jifty->log->fatal( "who_have_right called with the Obsolete object_id/Object_type API" );
+ return (undef);
+ }
+
+ my $from_role = $self->clone;
+ $from_role->who_have_role_right(%args);
+
+ my $from_group = $self->clone;
+ $from_group->who_have_group_right(%args);
+
+ #XXX: DIRTY HACK
+ use Jifty::DBI::Collection::Union;
+ my $union = new Jifty::DBI::Collection::Union;
+ $union->add($from_role);
+ $union->add($from_group);
+ %$self = %$union;
+ bless $self, ref($union);
+
+ return;
+}
+
+
+sub who_have_role_right {
+ my $self = shift;
+ my %args = (
+ right => undef,
+ object => undef,
+ include_system_rights => undef,
+ include_superusers => undef,
+ recursive => 1,
+ equiv_objects => [],
+ @_
+ );
+
+ my $groups = $self->_join_groups(%args);
+ my $acl = $self->_join_acl(%args);
+
+ my ( $check_roles, $check_objects ) = ( '', '' );
+
+ my @objects = $self->_get_equiv_objects(%args);
+
+ if (@objects) {
+ my @role_clauses;
+ my @object_clauses;
+ foreach my $obj (@objects) {
+ my $type = ref($obj) ? ref($obj) : $obj;
+ my $id;
+ $id = $obj->id
+ if ref($obj) && UNIVERSAL::can( $obj, 'id' ) && $obj->id;
+
+ my $role_clause = "$groups.domain = '$type-Role'";
+
+ # if we want mysql 4.0 use indexes here. we MUST convert that
+ # field to integer and drop this quotes.
+ $role_clause .= " AND $groups.instance = '$id'" if $id;
+ push @role_clauses, "($role_clause)";
+ my $object_clause = "$acl.object_type = '$type'";
+ $object_clause .= " AND $acl.object_id = $id" if $id;
+ push @object_clauses, "($object_clause)";
+
+ }
+
+ $check_roles .= join ' OR ', @role_clauses;
+ $check_objects = join ' OR ', @object_clauses;
+ } else {
+ if ( !$args{'include_system_rights'} ) {
+ $check_objects = "($acl.object_type != 'RT::System')";
+ }
+ }
+
+ $self->_add_subclause( "Whichobject", "($check_objects)" );
+ $self->_add_subclause( "WhichRole", "($check_roles)" );
+
+ $self->limit(
+ alias => $acl,
+ column => 'type',
+ value => "$groups.Type",
+ quote_value => 0,
+ );
+
+ # no system user
+ $self->limit(
+ alias => $self->principals_alias,
+ column => 'id',
+ operator => '!=',
+ value => RT->system_user->id
+ );
+ return;
+}
+
+
+sub who_have_group_right {
+ my $self = shift;
+ my %args = (
+ right => undef,
+ object => undef,
+ include_system_rights => undef,
+ include_superusers => undef,
+ recursive => 1,
+ equiv_objects => [],
+ @_
+ );
+
+ # Find only rows where the Right granted is
+ # the one we're looking up or _possibly_ superuser
+ my $acl = $self->_join_acl(%args);
+
+ my ($check_objects) = ('');
+ my @objects = $self->_get_equiv_objects(%args);
+
+ if (@objects) {
+ my @object_clauses;
+ foreach my $obj (@objects) {
+ my $type = ref($obj) ? ref($obj) : $obj;
+ my $id;
+ $id = $obj->id
+ if ref($obj) && UNIVERSAL::can( $obj, 'id' ) && $obj->id;
+
+ my $object_clause = "$acl.object_type = '$type'";
+ $object_clause .= " AND $acl.object_id = $id" if $id;
+ push @object_clauses, "($object_clause)";
+ }
+
+ $check_objects = join ' OR ', @object_clauses;
+ } else {
+ if ( !$args{'include_system_rights'} ) {
+ $check_objects = "($acl.object_type != 'RT::System')";
+ }
+ }
+ $self->_add_subclause( "Whichobject", "($check_objects)" );
+
+ $self->_join_group_members_for_group_rights( %args, aclalias => $acl );
+
+ # Find only members of groups that have the right.
+ $self->limit(
+ alias => $acl,
+ column => 'type',
+ value => 'Group',
+ );
+
+ # no system user
+ $self->limit(
+ alias => $self->principals_alias,
+ column => 'id',
+ operator => '!=',
+ value => RT->system_user->id
+ );
+ return;
+}
+
+
+=head2 who_belong_to_groups { Groups => ARRAYREF, recursive => 1 }
+
+=cut
+
+sub who_belong_to_groups {
+ my $self = shift;
+ my %args = (
+ groups => undef,
+ recursive => 1,
+ @_
+ );
+
+ # Unprivileged users can't be granted real system rights.
+ # is this really the right thing to be saying?
+ $self->limit_to_privileged();
+
+ my $group_members = $self->_join_group_members(%args);
+
+ foreach my $groupid ( @{ $args{'groups'} } ) {
+ $self->limit(
+ alias => $group_members,
+ column => 'group_id',
+ value => $groupid,
+ quote_value => 0,
+ entry_aggregator => 'OR',
+ );
+ }
+}
+
+
+sub _join_group_members_for_group_rights {
+ my $self = shift;
+ my %args = (@_);
+ my $group_members = $self->_join_group_members(%args);
+ $self->limit(
+ alias => $args{'aclalias'},
+ column => 'principal',
+ value => "$group_members.group_id",
+ quote_value => 0,
+ );
+}
+
+sub _join_group_members {
+ my $self = shift;
+ my %args = (
+ recursive => 1,
+ @_
+ );
+
+ my $principals = $self->principals_alias;
+
+ # The cachedgroupmembers table is used for unrolling group memberships
+ # to allow fast lookups. if we bind to CachedGroupMembers, we'll find
+ # all members of groups recursively. if we don't we'll find only 'direct'
+ # members of the group in question
+ my $group_members;
+ if ( $args{'recursive'} ) {
+ $group_members = $self->new_alias('CachedGroupMembers');
+ } else {
+ $group_members = $self->new_alias('GroupMembers');
+ }
+
+ $self->join(
+ alias1 => $group_members,
+ column1 => 'member_id',
+ alias2 => $principals,
+ column2 => 'id'
+ );
+
+ return $group_members;
+}
+
+
+sub _join_groups {
+ my $self = shift;
+ my %args = (@_);
+
+ my $group_members = $self->_join_group_members(%args);
+ my $groups = $self->new_alias('Groups');
+ $self->join(
+ alias1 => $groups,
+ column1 => 'id',
+ alias2 => $group_members,
+ column2 => 'group_id'
+ );
+
+ return $groups;
+}
+
+sub _join_acl {
+ my $self = shift;
+ my %args = (
+ right => undef,
+ include_superusers => undef,
+ @_,
+ );
+
+ my $acl = $self->new_alias('ACL');
+ $self->limit(
+ alias => $acl,
+ column => 'right_name',
+ operator => ( $args{right} ? '=' : 'IS NOT' ),
+ value => $args{right} || 'NULL',
+ entry_aggregator => 'OR'
+ );
+ if ( $args{'include_superusers'} and $args{'right'} ) {
+ $self->limit(
+ alias => $acl,
+ column => 'right_name',
+ operator => '=',
+ value => 'SuperUser',
+ entry_aggregator => 'OR'
+ );
+ }
+ return $acl;
+}
+
+sub _get_equiv_objects {
+ my $self = shift;
+ my %args = (
+ object => undef,
+ include_system_rights => undef,
+ equiv_objects => [],
+ @_
+ );
+ return () unless $args{'object'};
+
+ my @objects = ( $args{'object'} );
+ if ( UNIVERSAL::isa( $args{'object'}, 'RT::Model::Ticket' ) ) {
+
+ # If we're looking at ticket rights, we also want to look at the associated queue rights.
+ # this is a little bit hacky, but basically, now that we've done the ticket roles magic,
+ # we load the queue object and ask all the rest of our questions about the queue.
+
+ # XXX: This should be abstracted into object itself
+ if ( $args{'object'}->id ) {
+ push @objects, $args{'object'}->acl_equivalence_objects;
+ } else {
+ push @objects, 'RT::Model::Queue';
+ }
+ }
+
+ if ( $args{'include_system_rights'} ) {
+ push @objects, 'RT::System';
+ }
+ push @objects, @{ $args{'equiv_objects'} };
+ return grep $_, @objects;
+}
+
+1;
Modified: rt/3.999/trunk/lib/RT/Model/GroupCollection.pm
==============================================================================
--- rt/3.999/trunk/lib/RT/Model/GroupCollection.pm (original)
+++ rt/3.999/trunk/lib/RT/Model/GroupCollection.pm Fri Mar 27 19:25:48 2009
@@ -73,7 +73,7 @@
package RT::Model::GroupCollection;
-use base qw/RT::SearchBuilder/;
+use base qw/RT::IsPrincipalCollection RT::SearchBuilder/;
use RT::Model::UserCollection;
@@ -90,38 +90,6 @@
column => 'name',
order => 'ASC'
);
-
- # XXX: this code should be generalized
- $self->{'princalias'} = $self->join(
- alias1 => 'main',
- column1 => 'id',
- table2 => 'Principals',
- column2 => 'id'
- );
-
- # even if this condition is useless and ids in the Groups table
- # only match principals with type 'Group' this could speed up
- # searches in some DBs.
- $self->limit(
- alias => $self->{'princalias'},
- column => 'type',
- value => 'Group',
- );
-
-}
-
-
-=head2 principals_alias
-
-Returns the string that represents this Users object's primary "Principals" alias.
-
-=cut
-
-# XXX: should be generalized, code duplication
-sub principals_alias {
- my $self = shift;
- return ( $self->{'princalias'} );
-
}
@@ -163,6 +131,58 @@
#$self->limit(column => 'instance', operator => '=', value => '');
}
+=head2 limit_to_roles
+
+Limits the set of groups found to role groups for an instance of a model. Takes:
+
+=over 4
+
+=item model - mandatory name of a model, for example: 'RT::Model::Ticket';
+
+=item instance - optional id of the model record;
+
+=item type - optional type of the role groups, for example 'cc';
+
+=item subclause and entry_aggregator - use to combine with different conditions;
+by default aggregator is 'OR' and subclause matches name of the method, so you can
+call this method multiple times and get role of groups of different models.
+
+=cut
+
+sub limit_to_roles {
+ my $self = shift;
+ my %args = (
+ model => undef,
+ type => undef,
+ instance => undef,
+ entry_aggregator => 'OR',
+ subclause => 'limit_to_roles',
+ @_
+ );
+ $self->open_paren( $args{'subclause'} );
+ $self->limit(
+ subclause => $args{'subclause'},
+ entry_aggregator => $args{'entry_aggregator'},
+ column => 'domain',
+ operator => '=',
+ value => $args{'model'} .'-Role',
+ );
+ $self->limit(
+ subclause => $args{'subclause'},
+ entry_aggregator => 'AND',
+ column => 'instance',
+ operator => '=',
+ value => $args{'instance'},
+ ) if defined $args{'instance'};
+ $self->limit(
+ subclause => $args{'subclause'},
+ entry_aggregator => 'AND',
+ column => 'type',
+ operator => '=',
+ value => $args{'type'},
+ ) if defined $args{'type'};
+ $self->close_paren( $args{'subclause'} );
+}
=head2 limit_to_roles_for_queue QUEUE_ID
@@ -232,8 +252,8 @@
recursively => undef,
@_
);
- my $members;
+ my $members;
if ( $args{'recursively'} ) {
$members = $self->new_alias('CachedGroupMembers');
} else {
@@ -285,59 +305,18 @@
);
}
-=head2 withright { right => RIGHTNAME, object => RT::Record, include_system_rights => 1, include_superusers => 0, equiv_objects => [ ] }
-
-
-Find all groups which have RIGHTNAME for RT::Record. Optionally include global rights and superusers. By default, include the global rights, but not the superusers.
-
-
-
-=cut
-
-#XXX: should be generilized
-sub with_right {
- my $self = shift;
- my %args = (
- right => undef,
- object => => undef,
- include_system_rights => 1,
- include_superusers => undef,
- include_subgroup_members => 0,
- equiv_objects => [],
- @_
- );
-
- my $from_role = $self->clone;
- $from_role->with_role_right(%args);
-
- my $from_group = $self->clone;
- $from_group->with_group_right(%args);
-
- #XXX: DIRTY HACK
- use Jifty::DBI::Collection::Union;
- my $union = new Jifty::DBI::Collection::Union;
- $union->add($from_role);
- $union->add($from_group);
- %$self = %$union;
- bless $self, ref($union);
-
- return;
-}
-
-#XXX: methods are active aliases to Users class to prevent code duplication
-# should be generalized
sub _join_groups {
my $self = shift;
my %args = (@_);
- return 'main' unless $args{'include_subgroup_members'};
- return $self->RT::Model::UserCollection::_join_groups(%args);
+ return 'main' unless $args{'recursive'};
+ return $self->SUPER::_join_groups(%args);
}
sub _join_group_members {
my $self = shift;
my %args = (@_);
- return 'main' unless $args{'include_subgroup_members'};
- return $self->RT::Model::UserCollection::_join_group_members(%args);
+ return 'main' unless $args{'recursive'};
+ return $self->SUPER::_join_group_members(%args);
}
sub _join_group_members_for_group_rights {
@@ -345,7 +324,7 @@
my %args = (@_);
my $group_members = $self->_join_group_members(%args);
unless ( $group_members eq 'main' ) {
- return $self->RT::Model::UserCollection::_join_group_members_for_group_rights(%args);
+ return $self->SUPER::_join_group_members_for_group_rights(%args);
}
$self->limit(
alias => $args{'aclalias'},
@@ -354,47 +333,6 @@
quote_value => 0,
);
}
-sub _join_acl { return (shift)->RT::Model::UserCollection::_join_acl(@_) }
-
-sub _role_clauses {
- return (shift)->RT::Model::UserCollection::_RoleClauses(@_);
-}
-
-sub who_have_role_right_splitted {
- return (shift)->RT::Model::UserCollection::_who_have_role_rightSplitted(@_);
-}
-
-sub _get_equiv_objects {
- return (shift)->RT::Model::UserCollection::_get_equiv_objects(@_);
-}
-
-sub with_group_right {
- return (shift)->RT::Model::UserCollection::who_have_group_right(@_);
-}
-
-sub with_role_right {
- return (shift)->RT::Model::UserCollection::who_have_role_right(@_);
-}
-
-
-=head2 limit_to_enabled
-
-Only find items that haven\'t been disabled
-
-=cut
-
-sub limit_to_enabled {
- my $self = shift;
-
- $self->limit(
- alias => $self->principals_alias,
- column => 'disabled',
- value => '0',
- operator => '=',
- );
-}
-
-
sub next {
my $self = shift;
@@ -421,9 +359,7 @@
$self->limit_to_enabled();
}
- return ( $self->SUPER::_do_search(@_) );
-
+ return $self->SUPER::_do_search(@_);
}
1;
-
Modified: rt/3.999/trunk/lib/RT/Model/UserCollection.pm
==============================================================================
--- rt/3.999/trunk/lib/RT/Model/UserCollection.pm (original)
+++ rt/3.999/trunk/lib/RT/Model/UserCollection.pm Fri Mar 27 19:25:48 2009
@@ -67,7 +67,7 @@
use strict;
package RT::Model::UserCollection;
-use base qw/RT::SearchBuilder/;
+use base qw/IsPrincipalCollection RT::SearchBuilder/;
sub _init {
my $self = shift;
@@ -81,39 +81,10 @@
order => 'ASC'
);
- $self->{'princ_alias'} = $self->new_alias('Principals');
-
- # XXX: should be generalized
- $self->join(
- alias1 => 'main',
- column1 => 'id',
- alias2 => $self->principals_alias,
- column2 => 'id'
- );
- $self->limit(
- alias => $self->principals_alias,
- column => 'type',
- value => 'User',
- );
-
return (@result);
}
-=head2 principals_alias
-
-Returns the string that represents this Users object's primary "Principals" alias.
-
-=cut
-
-# XXX: should be generalized
-sub principals_alias {
- my $self = shift;
- return ( $self->{'princ_alias'} );
-
-}
-
-
=head2 _do_search
A subclass of Jifty::DBI::_do_search that makes sure that _disabled rows never get seen unless
@@ -129,30 +100,8 @@
$self->limit_to_enabled();
}
return ( $self->SUPER::_do_search(@_) );
-
-}
-
-
-=head2 limit_to_enabled
-
-Only find items that haven\'t been disabled
-
-=cut
-
-# XXX: should be generalized
-sub limit_to_enabled {
- my $self = shift;
-
- $self->limit(
- alias => $self->principals_alias,
- column => 'disabled',
- value => '0',
- operator => '='
- );
}
-
-
=head2 limit_to_email
Takes one argument. an email address. limits the returned set to
@@ -168,39 +117,6 @@
-=head2 member_of_group PRINCIPAL_ID
-
-takes one argument, a group's principal id. Limits the returned set
-to members of a given group
-
-=cut
-
-sub member_of_group {
- my $self = shift;
- my $group = shift;
-
- return _("No group specified") if ( !defined $group );
-
- my $groupalias = $self->new_alias('CachedGroupMembers');
-
- # join the principal to the groups table
- $self->join(
- alias1 => $self->principals_alias,
- column1 => 'id',
- alias2 => $groupalias,
- column2 => 'member_id'
- );
-
- $self->limit(
- alias => "$groupalias",
- column => 'group_id',
- value => "$group",
- operator => "="
- );
-}
-
-
-
=head2 limit_to_privileged
Limits to users who can be made members of ACLs and groups
@@ -215,339 +131,7 @@
unless ( $priv->id ) {
Jifty->log->fatal("Couldn't find a privileged users group");
}
- $self->member_of_group( $priv->principal_id );
-}
-
-
-
-=head2 who_have_right { right => 'name', object => $rt_object , include_superusers => undef, include_subgroup_members => undef, include_system_rights => undef, equiv_objects => [ ] }
-
-
-find all users who the right right for this group, either individually
-or as members of groups
-
-If passed a queue object, with no id, it will find users who have that right for _any_ queue
-
-=cut
-
-# XXX: should be generalized
-sub _join_group_members {
- my $self = shift;
- my %args = (
- include_subgroup_members => 1,
- @_
- );
-
- my $principals = $self->principals_alias;
-
- # The cachedgroupmembers table is used for unrolling group memberships
- # to allow fast lookups. if we bind to CachedGroupMembers, we'll find
- # all members of groups recursively. if we don't we'll find only 'direct'
- # members of the group in question
- my $group_members;
- if ( $args{'include_subgroup_members'} ) {
- $group_members = $self->new_alias('CachedGroupMembers');
- } else {
- $group_members = $self->new_alias('GroupMembers');
- }
-
- $self->join(
- alias1 => $group_members,
- column1 => 'member_id',
- alias2 => $principals,
- column2 => 'id'
- );
-
- return $group_members;
-}
-
-# XXX: should be generalized
-sub _join_groups {
- my $self = shift;
- my %args = (@_);
-
- my $group_members = $self->_join_group_members(%args);
- my $groups = $self->new_alias('Groups');
- $self->join(
- alias1 => $groups,
- column1 => 'id',
- alias2 => $group_members,
- column2 => 'group_id'
- );
-
- return $groups;
+ $self->member_of( $priv->principal_id );
}
-# XXX: should be generalized
-sub _join_acl {
- my $self = shift;
- my %args = (
- right => undef,
- include_superusers => undef,
- @_,
- );
-
- my $acl = $self->new_alias('ACL');
- $self->limit(
- alias => $acl,
- column => 'right_name',
- operator => ( $args{right} ? '=' : 'IS NOT' ),
- value => $args{right} || 'NULL',
- entry_aggregator => 'OR'
- );
- if ( $args{'include_superusers'} and $args{'right'} ) {
- $self->limit(
- alias => $acl,
- column => 'right_name',
- operator => '=',
- value => 'SuperUser',
- entry_aggregator => 'OR'
- );
- }
- return $acl;
-}
-
-# XXX: should be generalized
-sub _get_equiv_objects {
- my $self = shift;
- my %args = (
- object => undef,
- include_system_rights => undef,
- equiv_objects => [],
- @_
- );
- return () unless $args{'object'};
-
- my @objects = ( $args{'object'} );
- if ( UNIVERSAL::isa( $args{'object'}, 'RT::Model::Ticket' ) ) {
-
- # If we're looking at ticket rights, we also want to look at the associated queue rights.
- # this is a little bit hacky, but basically, now that we've done the ticket roles magic,
- # we load the queue object and ask all the rest of our questions about the queue.
-
- # XXX: This should be abstracted into object itself
- if ( $args{'object'}->id ) {
- push @objects, $args{'object'}->acl_equivalence_objects;
- } else {
- push @objects, 'RT::Model::Queue';
- }
- }
-
- if ( $args{'include_system_rights'} ) {
- push @objects, 'RT::System';
- }
- push @objects, @{ $args{'equiv_objects'} };
- return grep $_, @objects;
-}
-
-# XXX: should be generalized
-sub who_have_right {
- my $self = shift;
- my %args = (
- right => undef,
- object => undef,
- include_system_rights => undef,
- include_superusers => undef,
- include_subgroup_members => 1,
- equiv_objects => [],
- @_
- );
-
- if ( defined $args{'object_type'} || defined $args{'object_id'} ) {
- Jifty->log->fatal( "who_have_right called with the Obsolete object_id/Object_type API" );
- return (undef);
- }
-
- my $from_role = $self->clone;
- $from_role->who_have_role_right(%args);
-
- my $from_group = $self->clone;
- $from_group->who_have_group_right(%args);
-
- #XXX: DIRTY HACK
- use Jifty::DBI::Collection::Union;
- my $union = new Jifty::DBI::Collection::Union;
- $union->add($from_role);
- $union->add($from_group);
- %$self = %$union;
- bless $self, ref($union);
-
- return;
-}
-
-
-# XXX: should be generalized
-sub who_have_role_right {
- my $self = shift;
- my %args = (
- right => undef,
- object => undef,
- include_system_rights => undef,
- include_superusers => undef,
- include_subgroup_members => 1,
- equiv_objects => [],
- @_
- );
-
- my $groups = $self->_join_groups(%args);
- my $acl = $self->_join_acl(%args);
-
- my ( $check_roles, $check_objects ) = ( '', '' );
-
- my @objects = $self->_get_equiv_objects(%args);
-
- if (@objects) {
- my @role_clauses;
- my @object_clauses;
- foreach my $obj (@objects) {
- my $type = ref($obj) ? ref($obj) : $obj;
- my $id;
- $id = $obj->id
- if ref($obj) && UNIVERSAL::can( $obj, 'id' ) && $obj->id;
-
- my $role_clause = "$groups.domain = '$type-Role'";
-
- # if we want mysql 4.0 use indexes here. we MUST convert that
- # field to integer and drop this quotes.
- $role_clause .= " AND $groups.instance = '$id'" if $id;
- push @role_clauses, "($role_clause)";
- my $object_clause = "$acl.object_type = '$type'";
- $object_clause .= " AND $acl.object_id = $id" if $id;
- push @object_clauses, "($object_clause)";
-
- }
-
- $check_roles .= join ' OR ', @role_clauses;
- $check_objects = join ' OR ', @object_clauses;
- } else {
- if ( !$args{'include_system_rights'} ) {
- $check_objects = "($acl.object_type != 'RT::System')";
- }
- }
-
- $self->_add_subclause( "Whichobject", "($check_objects)" );
- $self->_add_subclause( "WhichRole", "($check_roles)" );
-
- $self->limit(
- alias => $acl,
- column => 'type',
- value => "$groups.Type",
- quote_value => 0,
- );
-
- # no system user
- $self->limit(
- alias => $self->principals_alias,
- column => 'id',
- operator => '!=',
- value => RT->system_user->id
- );
- return;
-}
-
-# XXX: should be generalized
-sub _join_group_members_for_group_rights {
- my $self = shift;
- my %args = (@_);
- my $group_members = $self->_join_group_members(%args);
- $self->limit(
- alias => $args{'aclalias'},
- column => 'principal',
- value => "$group_members.group_id",
- quote_value => 0,
- );
-}
-
-# XXX: should be generalized
-sub who_have_group_right {
- my $self = shift;
- my %args = (
- right => undef,
- object => undef,
- include_system_rights => undef,
- include_superusers => undef,
- include_subgroup_members => 1,
- equiv_objects => [],
- @_
- );
-
- # Find only rows where the Right granted is
- # the one we're looking up or _possibly_ superuser
- my $acl = $self->_join_acl(%args);
-
- my ($check_objects) = ('');
- my @objects = $self->_get_equiv_objects(%args);
-
- if (@objects) {
- my @object_clauses;
- foreach my $obj (@objects) {
- my $type = ref($obj) ? ref($obj) : $obj;
- my $id;
- $id = $obj->id
- if ref($obj) && UNIVERSAL::can( $obj, 'id' ) && $obj->id;
-
- my $object_clause = "$acl.object_type = '$type'";
- $object_clause .= " AND $acl.object_id = $id" if $id;
- push @object_clauses, "($object_clause)";
- }
-
- $check_objects = join ' OR ', @object_clauses;
- } else {
- if ( !$args{'include_system_rights'} ) {
- $check_objects = "($acl.object_type != 'RT::System')";
- }
- }
- $self->_add_subclause( "Whichobject", "($check_objects)" );
-
- $self->_join_group_members_for_group_rights( %args, aclalias => $acl );
-
- # Find only members of groups that have the right.
- $self->limit(
- alias => $acl,
- column => 'type',
- value => 'Group',
- );
-
- # no system user
- $self->limit(
- alias => $self->principals_alias,
- column => 'id',
- operator => '!=',
- value => RT->system_user->id
- );
- return;
-}
-
-
-=head2 who_belong_to_groups { Groups => ARRAYREF, include_subgroup_members => 1 }
-
-=cut
-
-# XXX: should be generalized
-sub who_belong_to_groups {
- my $self = shift;
- my %args = (
- groups => undef,
- include_subgroup_members => 1,
- @_
- );
-
- # Unprivileged users can't be granted real system rights.
- # is this really the right thing to be saying?
- $self->limit_to_privileged();
-
- my $group_members = $self->_join_group_members(%args);
-
- foreach my $groupid ( @{ $args{'groups'} } ) {
- $self->limit(
- alias => $group_members,
- column => 'group_id',
- value => $groupid,
- quote_value => 0,
- entry_aggregator => 'OR',
- );
- }
-}
-
-
1;
Modified: rt/3.999/trunk/lib/RT/ScripAction/CreateTickets.pm
==============================================================================
--- rt/3.999/trunk/lib/RT/ScripAction/CreateTickets.pm (original)
+++ rt/3.999/trunk/lib/RT/ScripAction/CreateTickets.pm Fri Mar 27 19:25:48 2009
@@ -140,7 +140,7 @@
object =>$groups->first,
include_system_rights => undef,
include_superusers => 0,
- include_subgroup_members => 0,
+ recursive => 0,
);
my @admins;
Modified: rt/3.999/trunk/t/api/groups.t
==============================================================================
--- rt/3.999/trunk/t/api/groups.t (original)
+++ rt/3.999/trunk/t/api/groups.t Fri Mar 27 19:25:48 2009
@@ -65,7 +65,7 @@
$global_admin_cc->load_role(object => RT->system, type => 'admin_cc');
ok($global_admin_cc->id, "Found the global admincc group");
my $groups = RT::Model::GroupCollection->new(current_user => RT->system_user);
-$groups->with_right(right => 'OwnTicket', object => $q);
+$groups->who_have_right(right => 'OwnTicket', object => $q);
is($groups->count, 1);
($id, $msg) = $global_admin_cc->principal->grant_right(right =>'OwnTicket', object=> RT->system);
ok ($id,$msg);
@@ -75,7 +75,7 @@
ok ($testuser->has_right(object => $q, right => 'OwnTicket') , "The test user does have the right to own tickets now. thank god.");
$groups = RT::Model::GroupCollection->new(current_user => RT->system_user);
-$groups->with_right(right => 'OwnTicket', object => $q);
+$groups->who_have_right(right => 'OwnTicket', object => $q);
ok ($id,$msg);
is($groups->count, 3);
@@ -98,15 +98,15 @@
*RTx::System::Record::id = *RTx::System::Record::id;
$groups = RT::Model::GroupCollection->new(current_user => RT->system_user);
-$groups->with_right(right => 'RTxGroupRight', object => $RTxSysObj);
+$groups->who_have_right(right => 'RTxGroupRight', object => $RTxSysObj);
is($groups->count, 1, "RTxGroupRight found for RTxSysObj");
$groups = RT::Model::GroupCollection->new(current_user => RT->system_user);
-$groups->with_right(right => 'RTxGroupRight', object => $RTxObj);
+$groups->who_have_right(right => 'RTxGroupRight', object => $RTxObj);
is($groups->count, 0, "RTxGroupRight not found for RTxObj");
$groups = RT::Model::GroupCollection->new(current_user => RT->system_user);
-$groups->with_right(right => 'RTxGroupRight', object => $RTxObj, equiv_objects => [ $RTxSysObj ]);
+$groups->who_have_right(right => 'RTxGroupRight', object => $RTxObj, equiv_objects => [ $RTxSysObj ]);
is($groups->count, 1, "RTxGroupRight found for RTxObj using equiv_objects");
use RT::Model::ACE;
@@ -119,11 +119,11 @@
*RTx::System::Record::id = sub { 5; };
$groups = RT::Model::GroupCollection->new(current_user => RT->system_user);
-$groups->with_right(right => 'RTxGroupRight', object => $RTxObj2);
+$groups->who_have_right(right => 'RTxGroupRight', object => $RTxObj2);
is($groups->count, 1, "RTxGroupRight found for RTxObj2");
$groups = RT::Model::GroupCollection->new(current_user => RT->system_user);
-$groups->with_right(right => 'RTxGroupRight', object => $RTxObj2, equiv_objects => [ $RTxSysObj ]);
+$groups->who_have_right(right => 'RTxGroupRight', object => $RTxObj2, equiv_objects => [ $RTxSysObj ]);
is($groups->count, 1, "RTxGroupRight found for RTxObj2");
More information about the Rt-commit
mailing list