[Rt-commit] rt branch, new-style-templates, updated. rt-3.8.8-228-g8da05c4

Shawn Moore sartak at bestpractical.com
Wed Jul 28 23:11:17 EDT 2010


The branch, new-style-templates has been updated
       via  8da05c4a878387e26bb2d21024a176de0b95a875 (commit)
      from  20546138ce2d024a436974b0700bb0a28510ef01 (commit)

Summary of changes:
 etc/upgrade/3.9.1/content  |    9 ++++-----
 lib/RT/Queue_Overlay.pm    |    1 -
 lib/RT/System.pm           |    1 +
 lib/RT/Template_Overlay.pm |   37 ++++++-------------------------------
 t/web/template.t           |    8 ++++----
 5 files changed, 15 insertions(+), 41 deletions(-)

- Log -----------------------------------------------------------------
commit 8da05c4a878387e26bb2d21024a176de0b95a875
Author: Shawn M Moore <sartak at bestpractical.com>
Date:   Wed Jul 28 23:12:22 2010 -0400

    Generalize ModifyPerlTemplate to ExecutePerl
    
        This new right is system-wide as opposed to queue-specific, which
        was kind of pointless. Simplifies some code and is useful for other
        places like user-defined conditions and actions (not yet
        ACL-checked against ExecutePerl)

diff --git a/etc/upgrade/3.9.1/content b/etc/upgrade/3.9.1/content
index d6f6e83..5f204ee 100644
--- a/etc/upgrade/3.9.1/content
+++ b/etc/upgrade/3.9.1/content
@@ -25,7 +25,7 @@
     },
     sub {
         use strict;
-        $RT::Logger->debug('Adding ModifyPerlTemplate right to principals that currently have ModifyTemplate');
+        $RT::Logger->debug('Adding ExecutePerl right to principals that currently have ModifyTemplate');
 
         my $acl = RT::ACL->new($RT::SystemUser);
         $acl->Limit(
@@ -35,16 +35,15 @@
         );
 
         while (my $ace = $acl->Next) {
-            my $object = $ace->Object;
             my $principal = $ace->PrincipalObj;
 
             my ($ok, $msg) = $principal->GrantRight(
-                Right => 'ModifyPerlTemplate',
-                Object => $object,
+                Right  => 'ExecutePerl',
+                Object => $RT::SystemUser,
             );
 
             if (!$ok) {
-                $RT::Logger->warn("Unable to grant ModifyPerlTemplate on principal " . $principal->id . ": $msg");
+                $RT::Logger->warn("Unable to grant ExecutePerl on principal " . $principal->id . ": $msg");
             }
         }
     },
diff --git a/lib/RT/Queue_Overlay.pm b/lib/RT/Queue_Overlay.pm
index 7201007..98bdec5 100755
--- a/lib/RT/Queue_Overlay.pm
+++ b/lib/RT/Queue_Overlay.pm
@@ -94,7 +94,6 @@ our $RIGHTS = {
     AssignCustomFields  => 'Assign and remove custom fields',         # loc_pair
     ModifyTemplate      => 'Modify Scrip templates for this queue',   # loc_pair
     ShowTemplate        => 'Display Scrip templates for this queue',  # loc_pair
-    ModifyPerlTemplate  => 'Modify templates with unlimited code execution', # loc_pair
 
     ModifyScrips => 'Modify Scrips for this queue',                   # loc_pair
     ShowScrips   => 'Display Scrips for this queue',                  # loc_pair
diff --git a/lib/RT/System.pm b/lib/RT/System.pm
index 2a23e32..226d748 100755
--- a/lib/RT/System.pm
+++ b/lib/RT/System.pm
@@ -89,6 +89,7 @@ our $RIGHTS = {
     ShowApprovalsTab => "show Approvals tab",     # loc_pair
     LoadSavedSearch => "allow loading of saved searches",     # loc_pair
     CreateSavedSearch => "allow creation of saved searches",      # loc_pair
+    ExecutePerl => "allow writing Perl code in templates, scrips, etc", # loc_pair
 };
 
 # Tell RT::ACE that this sort of object can get acls granted
diff --git a/lib/RT/Template_Overlay.pm b/lib/RT/Template_Overlay.pm
index 14d2ad4..5178fb2 100755
--- a/lib/RT/Template_Overlay.pm
+++ b/lib/RT/Template_Overlay.pm
@@ -211,13 +211,14 @@ sub Create {
         @_
     );
 
+    if ( $args{Type} eq 'Perl' && !$self->CurrentUser->HasRight(Right => 'ExecutePerl', Object => $RT::System) ) {
+        return ( undef, $self->loc('Permission Denied') );
+    }
+
     unless ( $args{'Queue'} ) {
         unless ( $self->CurrentUser->HasRight(Right =>'ModifyTemplate', Object => $RT::System) ) {
             return ( undef, $self->loc('Permission Denied') );
         }
-        if ( $args{Type} eq 'Perl' && !$self->CurrentUser->HasRight(Right => 'ModifyPerlTemplate', Object => $RT::System) ) {
-            return ( undef, $self->loc('Permission Denied') );
-        }
         $args{'Queue'} = 0;
     }
     else {
@@ -227,9 +228,6 @@ sub Create {
         unless ( $QueueObj->CurrentUserHasRight('ModifyTemplate') ) {
             return ( undef, $self->loc('Permission Denied') );
         }
-        if ( $args{Type} eq 'Perl' && !$QueueObj->CurrentUserHasRight('ModifyPerlTemplate') ) {
-            return ( undef, $self->loc('Permission Denied') );
-        }
         $args{'Queue'} = $QueueObj->Id;
     }
 
@@ -597,7 +595,7 @@ sub CurrentUserHasQueueRight {
 
 =head2 SetType
 
-If setting Type to Perl, require the ModifyPerlTemplate right on the queue.
+If setting Type to Perl, require the ExecutePerl right.
 
 =cut
 
@@ -605,36 +603,13 @@ sub SetType {
     my $self    = shift;
     my $NewType = shift;
 
-    if ($NewType eq 'Perl' && !$self->CurrentUserHasQueueRight('ModifyPerlTemplate')) {
+    if ($NewType eq 'Perl' && !$self->CurrentUser->HasRight(Right => 'ExecutePerl', Object => $RT::System)) {
         return ( undef, $self->loc('Permission Denied') );
     }
 
     return $self->_Set( Field => 'Type', Value => $NewType );
 }
 
-=head2 SetQueue
-
-When changing the queue, make sure the current user has ModifyPerlTemplate on the
-new queue if the type is Perl.
-
-Templates can't change Queue in the UI (yet?).
-
-=cut
-
-sub SetQueue {
-    my $self     = shift;
-    my $NewQueue = shift;
-
-    my $NewQueueObj = RT::Queue->new( $self->CurrentUser );
-    $NewQueueObj->Load($NewQueue);
-
-    if ( $self->Type eq 'Perl' && !$NewQueueObj->CurrentUserHasRight('ModifyPerlTemplate') ) {
-        return ( undef, $self->loc('Permission Denied. You do not have ModifyPerlTemplate on the new queue.') );
-    }
-
-    return $self->_Set( Field => 'Queue', Value => $NewQueueObj->id );
-}
-
 =head2 CompileCheck
 
 If the template's Type is Perl, then compile check all the codeblocks to see if
diff --git a/t/web/template.t b/t/web/template.t
index 18113d4..aee9fca 100644
--- a/t/web/template.t
+++ b/t/web/template.t
@@ -47,17 +47,17 @@ $m->submit;
 
 $m->title_is(q{Modify template Resolved}, 'modifying the Resolved template');
 $m->form_name('ModifyTemplate');
-is($m->value('Type'), 'Simple', 'need the ModifyPerlTemplate right to update Type to Perl');
+is($m->value('Type'), 'Simple', 'need the ExecutePerl right to update Type to Perl');
 $m->content_contains('Permission Denied');
 
 ok( RT::Test->add_rights(
-    { Principal => $user_a, Right => [qw(ModifyPerlTemplate)] },
-), 'add ModifyPerlTemplate rights');
+    { Principal => $user_a, Right => [qw(ExecutePerl)] },
+), 'add ExecutePerl rights');
 
 $m->field(Type => 'Perl');
 $m->submit;
 
 $m->title_is(q{Modify template Resolved}, 'modifying the Resolved template');
 $m->form_name('ModifyTemplate');
-is($m->value('Type'), 'Perl', 'now that we have ModifyPerlTemplate we can update Type to Perl');
+is($m->value('Type'), 'Perl', 'now that we have ExecutePerl we can update Type to Perl');
 

-----------------------------------------------------------------------


More information about the Rt-commit mailing list