commit ec754151ebd8db5862d35062b1a4d27e47cdb326
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Fri Aug 27 10:45:18 2010 -0400

    Add the jQuery UI Tabs widget

diff --git a/share/html/NoAuth/js/jquery-ui-1.8.4.custom.min.js b/share/html/NoAuth/js/jquery-ui-1.8.4.custom.min.js
old mode 100755
new mode 100644
index 673cb70..ed8ad71
--- a/share/html/NoAuth/js/jquery-ui-1.8.4.custom.min.js
+++ b/share/html/NoAuth/js/jquery-ui-1.8.4.custom.min.js
@@ -77,6 +77,41 @@ this.element.children(b))},nextPage:function(a){if(this.hasScroll())if(!this.act
 this.first())this.activate(a,this.element.children(":last"));else{var b=this.active.offset().top,c=this.element.height();result=this.element.children("li").filter(function(){var d=e(this).offset().top-b+c-e(this).height();return d<10&&d>-10});result.length||(result=this.element.children(":first"));this.activate(a,result)}else this.activate(a,this.element.children(!this.active||this.first()?":last":":first"))},hasScroll:function(){return this.element.height()<this.element.attr("scrollHeight")},select:function(a){this._trigger("selected",
+ * jQuery UI Tabs 1.8.4
+ *
+ * Copyright 2010, AUTHORS.txt (http://jqueryui.com/about)
+ * Dual licensed under the MIT or GPL Version 2 licenses.
+ * http://jquery.org/license
+ *
+ * http://docs.jquery.com/UI/Tabs
+ *
+ * Depends:
+ *	jquery.ui.core.js
+ *	jquery.ui.widget.js
+ */
+(function(d,p){function u(){return++v}function w(){return++x}var v=0,x=0;d.widget("ui.tabs",{options:{add:null,ajaxOptions:null,cache:false,cookie:null,collapsible:false,disable:null,disabled:[],enable:null,event:"click",fx:null,idPrefix:"ui-tabs-",load:null,panelTemplate:"<div></div>",remove:null,select:null,show:null,spinner:"<em>Loading&#8230;</em>",tabTemplate:"<li><a href='#{href}'><span>#{label}</span></a></li>"},_create:function(){this._tabify(true)},_setOption:function(a,e){if(a=="selected")this.options.collapsible&&
+e==this.options.selected||this.select(e);else{this.options[a]=e;this._tabify()}},_tabId:function(a){return a.title&&a.title.replace(/\s/g,"_").replace(/[^A-Za-z0-9\-_:\.]/g,"")||this.options.idPrefix+u()},_sanitizeSelector:function(a){return a.replace(/:/g,"\\:")},_cookie:function(){var a=this.cookie||(this.cookie=this.options.cookie.name||"ui-tabs-"+w());return d.cookie.apply(null,[a].concat(d.makeArray(arguments)))},_ui:function(a,e){return{tab:a,panel:e,index:this.anchors.index(a)}},_cleanup:function(){this.lis.filter(".ui-state-processing").removeClass("ui-state-processing").find("span:data(label.tabs)").each(function(){var a=
+d(this);a.html(a.data("label.tabs")).removeData("label.tabs")})},_tabify:function(a){function e(g,f){g.css("display","");!d.support.opacity&&f.opacity&&g[0].style.removeAttribute("filter")}var b=this,c=this.options,h=/^#.+/;this.list=this.element.find("ol,ul").eq(0);this.lis=d("li:has(a[href])",this.list);this.anchors=this.lis.map(function(){return d("a",this)[0]});this.panels=d([]);this.anchors.each(function(g,f){var j=d(f).attr("href"),l=j.split("#")[0],q;if(l&&(l===location.toString().split("#")[0]||
+(q=d("base")[0])&&l===q.href)){j=f.hash;f.href=j}if(h.test(j))b.panels=b.panels.add(b._sanitizeSelector(j));else if(j!=="#"){d.data(f,"href.tabs",j);d.data(f,"load.tabs",j.replace(/#.*$/,""));j=b._tabId(f);f.href="#"+j;f=d("#"+j);if(!f.length){f=d(c.panelTemplate).attr("id",j).addClass("ui-tabs-panel ui-widget-content ui-corner-bottom").insertAfter(b.panels[g-1]||b.list);f.data("destroy.tabs",true)}b.panels=b.panels.add(f)}else c.disabled.push(g)});if(a){this.element.addClass("ui-tabs ui-widget ui-widget-content ui-corner-all");
+this.list.addClass("ui-tabs-nav ui-helper-reset ui-helper-clearfix ui-widget-header ui-corner-all");this.lis.addClass("ui-state-default ui-corner-top");this.panels.addClass("ui-tabs-panel ui-widget-content ui-corner-bottom");if(c.selected===p){location.hash&&this.anchors.each(function(g,f){if(f.hash==location.hash){c.selected=g;return false}});if(typeof c.selected!=="number"&&c.cookie)c.selected=parseInt(b._cookie(),10);if(typeof c.selected!=="number"&&this.lis.filter(".ui-tabs-selected").length)c.selected=
+this.lis.index(this.lis.filter(".ui-tabs-selected"));c.selected=c.selected||(this.lis.length?0:-1)}else if(c.selected===null)c.selected=-1;c.selected=c.selected>=0&&this.anchors[c.selected]||c.selected<0?c.selected:0;c.disabled=d.unique(c.disabled.concat(d.map(this.lis.filter(".ui-state-disabled"),function(g){return b.lis.index(g)}))).sort();d.inArray(c.selected,c.disabled)!=-1&&c.disabled.splice(d.inArray(c.selected,c.disabled),1);this.panels.addClass("ui-tabs-hide");this.lis.removeClass("ui-tabs-selected ui-state-active");
+if(c.selected>=0&&this.anchors.length){this.panels.eq(c.selected).removeClass("ui-tabs-hide");this.lis.eq(c.selected).addClass("ui-tabs-selected ui-state-active");b.element.queue("tabs",function(){b._trigger("show",null,b._ui(b.anchors[c.selected],b.panels[c.selected]))});this.load(c.selected)}d(window).bind("unload",function(){b.lis.add(b.anchors).unbind(".tabs");b.lis=b.anchors=b.panels=null})}else c.selected=this.lis.index(this.lis.filter(".ui-tabs-selected"));this.element[c.collapsible?"addClass":
+"removeClass"]("ui-tabs-collapsible");c.cookie&&this._cookie(c.selected,c.cookie);a=0;for(var i;i=this.lis[a];a++)d(i)[d.inArray(a,c.disabled)!=-1&&!d(i).hasClass("ui-tabs-selected")?"addClass":"removeClass"]("ui-state-disabled");c.cache===false&&this.anchors.removeData("cache.tabs");this.lis.add(this.anchors).unbind(".tabs");if(c.event!=="mouseover"){var k=function(g,f){f.is(":not(.ui-state-disabled)")&&f.addClass("ui-state-"+g)},n=function(g,f){f.removeClass("ui-state-"+g)};this.lis.bind("mouseover.tabs",
+function(){k("hover",d(this))});this.lis.bind("mouseout.tabs",function(){n("hover",d(this))});this.anchors.bind("focus.tabs",function(){k("focus",d(this).closest("li"))});this.anchors.bind("blur.tabs",function(){n("focus",d(this).closest("li"))})}var m,o;if(c.fx)if(d.isArray(c.fx)){m=c.fx[0];o=c.fx[1]}else m=o=c.fx;var r=o?function(g,f){d(g).closest("li").addClass("ui-tabs-selected ui-state-active");f.hide().removeClass("ui-tabs-hide").animate(o,o.duration||"normal",function(){e(f,o);b._trigger("show",
+null,b._ui(g,f[0]))})}:function(g,f){d(g).closest("li").addClass("ui-tabs-selected ui-state-active");f.removeClass("ui-tabs-hide");b._trigger("show",null,b._ui(g,f[0]))},s=m?function(g,f){f.animate(m,m.duration||"normal",function(){b.lis.removeClass("ui-tabs-selected ui-state-active");f.addClass("ui-tabs-hide");e(f,m);b.element.dequeue("tabs")})}:function(g,f){b.lis.removeClass("ui-tabs-selected ui-state-active");f.addClass("ui-tabs-hide");b.element.dequeue("tabs")};this.anchors.bind(c.event+".tabs",
+function(){var g=this,f=d(g).closest("li"),j=b.panels.filter(":not(.ui-tabs-hide)"),l=d(b._sanitizeSelector(g.hash));if(f.hasClass("ui-tabs-selected")&&!c.collapsible||f.hasClass("ui-state-disabled")||f.hasClass("ui-state-processing")||b._trigger("select",null,b._ui(this,l[0]))===false){this.blur();return false}c.selected=b.anchors.index(this);b.abort();if(c.collapsible)if(f.hasClass("ui-tabs-selected")){c.selected=-1;c.cookie&&b._cookie(c.selected,c.cookie);b.element.queue("tabs",function(){s(g,
+j)}).dequeue("tabs");this.blur();return false}else if(!j.length){c.cookie&&b._cookie(c.selected,c.cookie);b.element.queue("tabs",function(){r(g,l)});b.load(b.anchors.index(this));this.blur();return false}c.cookie&&b._cookie(c.selected,c.cookie);if(l.length){j.length&&b.element.queue("tabs",function(){s(g,j)});b.element.queue("tabs",function(){r(g,l)});b.load(b.anchors.index(this))}else throw"jQuery UI Tabs: Mismatching fragment identifier.";d.browser.msie&&this.blur()});this.anchors.bind("click.tabs",
+function(){return false})},_getIndex:function(a){if(typeof a=="string")a=this.anchors.index(this.anchors.filter("[href$="+a+"]"));return a},destroy:function(){var a=this.options;this.abort();this.element.unbind(".tabs").removeClass("ui-tabs ui-widget ui-widget-content ui-corner-all ui-tabs-collapsible").removeData("tabs");this.list.removeClass("ui-tabs-nav ui-helper-reset ui-helper-clearfix ui-widget-header ui-corner-all");this.anchors.each(function(){var e=d.data(this,"href.tabs");if(e)this.href=
+e;var b=d(this).unbind(".tabs");d.each(["href","load","cache"],function(c,h){b.removeData(h+".tabs")})});this.lis.unbind(".tabs").add(this.panels).each(function(){d.data(this,"destroy.tabs")?d(this).remove():d(this).removeClass("ui-state-default ui-corner-top ui-tabs-selected ui-state-active ui-state-hover ui-state-focus ui-state-disabled ui-tabs-panel ui-widget-content ui-corner-bottom ui-tabs-hide")});a.cookie&&this._cookie(null,a.cookie);return this},add:function(a,e,b){if(b===p)b=this.anchors.length;
+var c=this,h=this.options;e=d(h.tabTemplate.replace(/#\{href\}/g,a).replace(/#\{label\}/g,e));a=!a.indexOf("#")?a.replace("#",""):this._tabId(d("a",e)[0]);e.addClass("ui-state-default ui-corner-top").data("destroy.tabs",true);var i=d("#"+a);i.length||(i=d(h.panelTemplate).attr("id",a).data("destroy.tabs",true));i.addClass("ui-tabs-panel ui-widget-content ui-corner-bottom ui-tabs-hide");if(b>=this.lis.length){e.appendTo(this.list);i.appendTo(this.list[0].parentNode)}else{e.insertBefore(this.lis[b]);
+i.insertBefore(this.panels[b])}h.disabled=d.map(h.disabled,function(k){return k>=b?++k:k});this._tabify();if(this.anchors.length==1){h.selected=0;e.addClass("ui-tabs-selected ui-state-active");i.removeClass("ui-tabs-hide");this.element.queue("tabs",function(){c._trigger("show",null,c._ui(c.anchors[0],c.panels[0]))});this.load(0)}this._trigger("add",null,this._ui(this.anchors[b],this.panels[b]));return this},remove:function(a){a=this._getIndex(a);var e=this.options,b=this.lis.eq(a).remove(),c=this.panels.eq(a).remove();
+if(b.hasClass("ui-tabs-selected")&&this.anchors.length>1)this.select(a+(a+1<this.anchors.length?1:-1));e.disabled=d.map(d.grep(e.disabled,function(h){return h!=a}),function(h){return h>=a?--h:h});this._tabify();this._trigger("remove",null,this._ui(b.find("a")[0],c[0]));return this},enable:function(a){a=this._getIndex(a);var e=this.options;if(d.inArray(a,e.disabled)!=-1){this.lis.eq(a).removeClass("ui-state-disabled");e.disabled=d.grep(e.disabled,function(b){return b!=a});this._trigger("enable",null,
+this._ui(this.anchors[a],this.panels[a]));return this}},disable:function(a){a=this._getIndex(a);var e=this.options;if(a!=e.selected){this.lis.eq(a).addClass("ui-state-disabled");e.disabled.push(a);e.disabled.sort();this._trigger("disable",null,this._ui(this.anchors[a],this.panels[a]))}return this},select:function(a){a=this._getIndex(a);if(a==-1)if(this.options.collapsible&&this.options.selected!=-1)a=this.options.selected;else return this;this.anchors.eq(a).trigger(this.options.event+".tabs");return this},
+load:function(a){a=this._getIndex(a);var e=this,b=this.options,c=this.anchors.eq(a)[0],h=d.data(c,"load.tabs");this.abort();if(!h||this.element.queue("tabs").length!==0&&d.data(c,"cache.tabs"))this.element.dequeue("tabs");else{this.lis.eq(a).addClass("ui-state-processing");if(b.spinner){var i=d("span",c);i.data("label.tabs",i.html()).html(b.spinner)}this.xhr=d.ajax(d.extend({},b.ajaxOptions,{url:h,success:function(k,n){d(e._sanitizeSelector(c.hash)).html(k);e._cleanup();b.cache&&d.data(c,"cache.tabs",
+true);e._trigger("load",null,e._ui(e.anchors[a],e.panels[a]));try{b.ajaxOptions.success(k,n)}catch(m){}},error:function(k,n){e._cleanup();e._trigger("load",null,e._ui(e.anchors[a],e.panels[a]));try{b.ajaxOptions.error(k,n,a,c)}catch(m){}}}));e.element.dequeue("tabs");return this}},abort:function(){this.element.queue([]);this.panels.stop(false,true);this.element.queue("tabs",this.element.queue("tabs").splice(-2,2));if(this.xhr){this.xhr.abort();delete this.xhr}this._cleanup();return this},url:function(a,
+e){this.anchors.eq(a).removeData("cache.tabs").data("load.tabs",e);return this},length:function(){return this.anchors.length}});d.extend(d.ui.tabs,{version:"1.8.4"});d.extend(d.ui.tabs.prototype,{rotation:null,rotate:function(a,e){var b=this,c=this.options,h=b._rotate||(b._rotate=function(i){clearTimeout(b.rotation);b.rotation=setTimeout(function(){var k=c.selected;b.select(++k<b.anchors.length?k:0)},a);i&&i.stopPropagation()});e=b._unrotate||(b._unrotate=!e?function(i){i.clientX&&b.rotate(null)}:
+function(){t=c.selected;h()});if(a){this.element.bind("tabsshow",h);this.anchors.bind(c.event+".tabs",e);h()}else{clearTimeout(b.rotation);this.element.unbind("tabsshow",h);this.anchors.unbind(c.event+".tabs",e);delete this._rotate;delete this._unrotate}return this}})})(jQuery);
  * jQuery UI Datepicker 1.8.4
  * Copyright 2010, AUTHORS.txt (http://jqueryui.com/about)

commit 8433bae2b74f79f11714476d73dc23d48f6ef7f8
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Fri Aug 27 10:54:47 2010 -0400

    Add the jQuery UI Tabs CSS that I forgot

diff --git a/share/html/NoAuth/css/base/jquery-ui-1.8.4.custom.modified.css b/share/html/NoAuth/css/base/jquery-ui-1.8.4.custom.modified.css
index 25d7b74..973d812 100755
--- a/share/html/NoAuth/css/base/jquery-ui-1.8.4.custom.modified.css
+++ b/share/html/NoAuth/css/base/jquery-ui-1.8.4.custom.modified.css
@@ -346,6 +346,24 @@
 	margin: -1px;
+ * jQuery UI Tabs @VERSION
+ *
+ * Copyright 2010, AUTHORS.txt (http://jqueryui.com/about)
+ * Dual licensed under the MIT or GPL Version 2 licenses.
+ * http://jquery.org/license
+ *
+ * http://docs.jquery.com/UI/Tabs#theming
+ */
+.ui-tabs { position: relative; padding: .2em; zoom: 1; } /* position: relative prevents IE scroll bug (element with position: relative inside container with overflow: auto appear as "fixed") */
+.ui-tabs .ui-tabs-nav { margin: 0; padding: .2em .2em 0; }
+.ui-tabs .ui-tabs-nav li { list-style: none; float: left; position: relative; top: 1px; margin: 0 .2em 1px 0; border-bottom: 0 !important; padding: 0; white-space: nowrap; }
+.ui-tabs .ui-tabs-nav li a { float: left; padding: .5em 1em; text-decoration: none; }
+.ui-tabs .ui-tabs-nav li.ui-tabs-selected { margin-bottom: 0; padding-bottom: 1px; }
+.ui-tabs .ui-tabs-nav li.ui-tabs-selected a, .ui-tabs .ui-tabs-nav li.ui-state-disabled a, .ui-tabs .ui-tabs-nav li.ui-state-processing a { cursor: text; }
+.ui-tabs .ui-tabs-nav li a, .ui-tabs.ui-tabs-collapsible .ui-tabs-nav li.ui-tabs-selected a { cursor: pointer; } /* first selector in group seems obsolete, but required to overcome bug in Opera applying cursor: text overall if defined elsewhere... */
+.ui-tabs .ui-tabs-panel { display: block; border-width: 0; padding: 1em 1.4em; background: none; }
+.ui-tabs .ui-tabs-hide { display: none !important; }
  * jQuery UI Datepicker @VERSION
  * Copyright 2010, AUTHORS.txt (http://jqueryui.com/about)

commit 91e7c76901e3eec304735ad8aee250b3d47e97e2
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Fri Aug 27 16:51:14 2010 -0400

    Fix doc reference to column name

diff --git a/lib/RT/GroupMember_Overlay.pm b/lib/RT/GroupMember_Overlay.pm
index 626a59b..50b0c0f 100755
--- a/lib/RT/GroupMember_Overlay.pm
+++ b/lib/RT/GroupMember_Overlay.pm
@@ -359,7 +359,7 @@ sub Delete {
 =head2 MemberObj
-Returns an RT::Principal object for the Principal specified by $self->PrincipalId
+Returns an RT::Principal object for the Principal specified by $self->MemberId

commit c25dd8c7ee5b5c142c16998b3c535ce0aac4dada
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Fri Aug 27 17:19:07 2010 -0400

    Checkpoint of the new rights editor /Admin/Elements/EditRights
    I replaced the old queue rights pages with the new editor, but they
    aren't completely functioning yet.  Fitting it into the other rights
    pages should be simple from here out though.
      - Rights need to be split into categories
      - ProcessACLChanges needs to be updated to understand the checkbox format
      - User/group object lists need to be limited to only those with rights granted
      - Add ability to add a user/group using autocomplete textbox

diff --git a/share/html/Admin/Elements/EditRights b/share/html/Admin/Elements/EditRights
new file mode 100644
index 0000000..25d5586
--- /dev/null
+++ b/share/html/Admin/Elements/EditRights
@@ -0,0 +1,95 @@
+use Scalar::Util qw(blessed);
+%# Principals is an array of arrays, where the inner arrays are like:
+%#      [ 'Category name' => $CollectionObj => 'DisplayColumn' => 1 ]
+%# The last value is a boolen determining if the value of DisplayColumn
+%# should be loc()-ed before display.
+<script type="text/javascript">
+  jQuery(function() {
+      jQuery(".rights-editor").tabs();
+  });
+<div class="rights-editor clearfix">
+  <ul>
+for my $category (@$Principals) {
+    my ($name, $collection, $col, $loc) = @$category;
+<li class="category"><% $name %></li>
+    while ( my $obj = $collection->Next ) {
+        my $display = ref $col eq 'CODE' ? $col->($obj) : $obj->$col;
+        my $id = "acl-$name-" . $obj->PrincipalId;
+        $id =~ s/[^a-zA-Z0-9\-]/_/g;
+<li><a href="#<% $id %>"><% $loc ? loc($display) : $display %></a></li>
+    }
+  </ul>
+# Find all our available rights
+my %available_rights;
+if ( blessed($Context) and $Context->can('AvailableRights') ) { 
+    %available_rights = %{$Context->AvailableRights};
+else {
+    %available_rights = ( loc('System Error') => loc("No rights found") );
+# Find all the current rights
+my %current_rights;
+for my $collection (map { $_->[1] } @$Principals) {
+    while (my $group = $collection->Next) {
+        my $acls = RT::ACL->new($session{'CurrentUser'});
+        $acls->LimitToObject( $Context );
+        $acls->LimitToPrincipal( Id => $group->PrincipalId );
+        $acls->OrderBy( FIELD => 'RightName' ); 
+        while ( my $ace = $acls->Next ) {
+            my $right = $ace->RightName;
+            $current_rights{$group->PrincipalId}->{$right} = 1;
+        }
+    }
+# Now generate our rights panels for each principal
+for my $category (@$Principals) {
+    my ($name, $collection, $col, $loc) = @$category;
+    while ( my $obj = $collection->Next ) {
+        my $display = ref $col eq 'CODE' ? $col->($obj) : $obj->$col;
+        my $acldesc = join '-', $obj->PrincipalId, ref($Context), $Context->Id;
+        my $id = "acl-$name-" . $obj->PrincipalId;
+        $id =~ s/[^a-zA-Z0-9\-]/_/g;
+  <div id="<% $id %>">
+    <h3>Rights for <% $loc ? loc($display) : $display %></h3>
+    <ul class="rights-list">
+% for my $right (keys %available_rights) {
+      <li>
+        <input type="checkbox" class="checkbox"
+               name="GrantRight-<% $acldesc %>"
+               id="GrantRight-<% $acldesc %>-<% $right %>"
+               value="<% $right %>"
+               <% $current_rights{$obj->PrincipalId}->{$right} ? 'checked' : '' %> />
+        <label for="GrantRight-<% $acldesc %>-<% $right %>">
+          <% loc($available_rights{$right}) %>
+        </label>
+      </li>
+% }
+    </ul>
+  </div>
+    }
diff --git a/share/html/Admin/Queues/GroupRights.html b/share/html/Admin/Queues/GroupRights.html
index 3cbb105..2f5824f 100755
--- a/share/html/Admin/Queues/GroupRights.html
+++ b/share/html/Admin/Queues/GroupRights.html
@@ -47,74 +47,25 @@
 <& /Admin/Elements/Header, Title => loc('Modify group rights for queue [_1]', $QueueObj->Name) &>
 <& /Admin/Elements/QueueTabs, id => $id, 
-    QueueObj => $QueueObj,                                                      
+    QueueObj => $QueueObj,
     current_tab => $current_tab, 
     Title => loc('Modify group rights for queue [_1]', $QueueObj->Name) &>
 <& /Elements/ListActions, actions => \@results &>
-  <form method="post" action="GroupRights.html">
-    <input type="hidden" class="hidden" name="id" value="<% $QueueObj->id %>" />
-<h1><&|/l&>System groups</&></h1>
+<form method="post" action="GroupRights.html">
+  <input type="hidden" class="hidden" name="id" value="<% $QueueObj->id %>" />
+%# XXX TODO: this was just after the opening table tag, put it somewhere reasonable    
 % $m->callback( %ARGS, QueueObj => $QueueObj, results => \@results );
-% $Groups = RT::Groups->new($session{'CurrentUser'});
-% $Groups->LimitToSystemInternalGroups();
-%	while (my $Group = $Groups->Next()) {
-  <tr align="right"> 
-	<td valign="top">
-	    <% loc($Group->Type) %>
-		  </td>
-	  <td>
-	    <& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
-        Object => $QueueObj  &>
-	  </td>
-	</tr>
-% }
-% $Groups = RT::Groups->new($session{'CurrentUser'});
-% $Groups->LimitToRolesForQueue($QueueObj->Id);
-%	while (my $Group = $Groups->Next()) {
-  <tr align="right"> 
-	<td valign="top">
-	    <% loc($Group->Type) %>
-		  </td>
-	  <td>
-	    <& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
-        Object => $QueueObj  &>
-	  </td>
-	</tr>
-% }
-<h1><&|/l&>User defined groups</&></h1>
-% $Groups = RT::Groups->new($session{'CurrentUser'});
-% $Groups->LimitToUserDefinedGroups();    
-%	while (my $Group = $Groups->Next()) {
-  <tr align="right"> 
-	<td valign="top">
-	    <% $Group->Name %>
-		  </td>
-	  <td>
-	    <& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
-        Object => $QueueObj  &>
-	  </td>
-	</tr>
-% }
-      <& /Elements/Submit, Label => loc('Modify Group Rights'), Reset => 1 &>
-  </form>
-  #Update the acls.
-  my @results =  ProcessACLChanges(\%ARGS);
+  <& /Admin/Elements/EditRights, Context => $QueueObj, Principals => \@principals &>
+  <& /Elements/Submit, Label => loc('Modify Group Rights'), Reset => 1 &>
+# Update the acls.
+my @results =  ProcessACLChanges(\%ARGS);
 if (!defined $id) {
     Abort(loc("No Queue defined"));
@@ -123,12 +74,26 @@ if (!defined $id) {
 my $QueueObj = RT::Queue->new($session{'CurrentUser'});
 $QueueObj->Load($id) || Abort(loc("Couldn't load queue [_1]",$id));
-my $Groups;
-my $current_tab;
-$current_tab = 'Admin/Queues/GroupRights.html?id='.$QueueObj->id;
+my $current_tab = 'Admin/Queues/GroupRights.html?id='.$QueueObj->id;
+# Principal collections
+my $system = RT::Groups->new($session{'CurrentUser'});
+my $roles = RT::Groups->new($session{'CurrentUser'});
+my $groups = RT::Groups->new($session{'CurrentUser'});
+# XXX TODO: only find those user groups with rights granted
+my @principals = (
+    # Category        collection   column    loc?
+    ['System'      => $system   => 'Type' => 1],
+    ['Roles'       => $roles    => 'Type' => 1],
+    ['User Groups' => $groups   => 'Name' => 0],
 $id => undef
diff --git a/share/html/Admin/Queues/UserRights.html b/share/html/Admin/Queues/UserRights.html
index ecfac9d..757991f 100755
--- a/share/html/Admin/Queues/UserRights.html
+++ b/share/html/Admin/Queues/UserRights.html
@@ -47,43 +47,26 @@
 <& /Admin/Elements/Header, Title => loc('Modify user rights for queue [_1]', $QueueObj->Name) &>
 <& /Admin/Elements/QueueTabs, id => $id,
-    QueueObj => $QueueObj,                                                      
+    QueueObj => $QueueObj,
     current_tab => $current_tab, 
     Title => loc('Modify user rights for queue [_1]', $QueueObj->Name) &>
 <& /Elements/ListActions, actions => \@results &>
-  <form method="post" action="UserRights.html">
-    <input type="hidden" class="hidden" name="id" value="<% $QueueObj->id %>" />
+<form method="post" action="UserRights.html">
+  <input type="hidden" class="hidden" name="id" value="<% $QueueObj->id %>" />
+%# XXX TODO put this somewhere more reasonable      
 % $m->callback( %ARGS, QueueObj => $QueueObj, results => \@results );
-%	while (my $Member = $Users->Next()) {
-% my $UserObj = $Member->MemberObj->Object();
-% my $group = RT::Group->new($session{'CurrentUser'});
-% $group->LoadACLEquivalenceGroup($Member->MemberObj);
-  <tr align="right"> 
-	<td valign="top"><& /Elements/ShowUser, User => $UserObj &></td>
-	  <td>
-	    <& /Admin/Elements/SelectRights, PrincipalId=> $group->PrincipalId,
-        Object => $QueueObj  &>
-	  </td>
-	</tr>
-% }
-      </table>
-      <& /Elements/Submit, Label => loc('Modify User Rights'), Reset => 1 &>
-  </form>
-  #Update the acls.
-  my @results =  ProcessACLChanges(\%ARGS);
-# {{{ Deal with setting up the display of current rights.
+  <& /Admin/Elements/EditRights, Context => $QueueObj, Principals => \@principals &>
+  <& /Elements/Submit, Label => loc('Modify User Rights'), Reset => 1 &>
+# Update the acls.
+my @results =  ProcessACLChanges(\%ARGS);
 if (!defined $id) {
     Abort(loc("No Queue defined"));
@@ -92,16 +75,17 @@ if (!defined $id) {
 my $QueueObj = RT::Queue->new($session{'CurrentUser'});
 $QueueObj->Load($id) || Abort(loc("Couldn't load queue [_1]",$id));
-# Find out which users we want to display ACL selects for
+# Find out which users we want to display ACLs for
 my $Privileged = RT::Group->new($session{'CurrentUser'});
-my $Users = $Privileged->MembersObj();
+my $Users = $Privileged->UserMembersObj();
+my $display = sub {
+    $m->scomp('/Elements/ShowUser', User => $_[0], NoEscape => 1)
+my @principals = (['Users' => $Users => $display => 0]);
-# }}}
-my $current_tab;
-$current_tab = 'Admin/Queues/UserRights.html?id='.$QueueObj->id;
+my $current_tab = 'Admin/Queues/UserRights.html?id='.$QueueObj->id;
diff --git a/share/html/NoAuth/css/base/jquery-ui.css b/share/html/NoAuth/css/base/jquery-ui.css
new file mode 100644
index 0000000..b59e22a
--- /dev/null
+++ b/share/html/NoAuth/css/base/jquery-ui.css
@@ -0,0 +1,2 @@
+ at import "jquery-ui-1.8.4.custom.modified.css";
+ at import "ui.timepickr.css";
diff --git a/share/html/NoAuth/css/base/main.css b/share/html/NoAuth/css/base/main.css
index 753c39f..76a4b15 100644
--- a/share/html/NoAuth/css/base/main.css
+++ b/share/html/NoAuth/css/base/main.css
@@ -47,8 +47,10 @@
 % $m->callback(CallbackName => 'Begin');
+ at import "jquery-ui.css";
 @import "misc.css";
 @import "ticket-form.css";
+ at import "rights-editor.css";
 % $m->callback(CallbackName => 'End');
diff --git a/share/html/NoAuth/css/base/misc.css b/share/html/NoAuth/css/base/misc.css
index 3281c31..383dc04 100644
--- a/share/html/NoAuth/css/base/misc.css
+++ b/share/html/NoAuth/css/base/misc.css
@@ -45,9 +45,6 @@
 %# those contributions and any derivatives thereof.
- at import "jquery-ui-1.8.4.custom.modified.css";
- at import "ui.timepickr.css";
 .hide, .hidden { display: none !important; }
 .clear { clear: both; }
diff --git a/share/html/NoAuth/css/base/rights-editor.css b/share/html/NoAuth/css/base/rights-editor.css
new file mode 100644
index 0000000..82d7a56
--- /dev/null
+++ b/share/html/NoAuth/css/base/rights-editor.css
@@ -0,0 +1,59 @@
+/* This selector is very heavy handed, but the jQuery UI theme is tenacious */
+.rights-editor, .rights-editor * {
+    font-family: arial, helvetica, sans-serif !important;
+/* Styles for putting jQuery UI tabs on the left */
+.rights-editor {
+    border: none;
+    background: transparent;
+/* Position and style the left tabs */
+.rights-editor > .ui-tabs-nav {
+    float: left;
+    background: transparent;
+    border: none;
+    color: black;
+.rights-editor > .ui-tabs-nav li {
+    float: none;
+    display: block;
+    border: none;
+    background: transparent;
+.rights-editor > .ui-tabs-nav li a {
+    float: none;
+    display: block;
+    padding: 0 0 0.2em 1em;
+    overflow: hidden;
+    text-overflow: ellipsis;
+.rights-editor .ui-tabs-nav li.category {
+    text-transform: uppercase;
+li.category ~ li.category {
+    margin-top: 1em;
+/* Position the outer-most panel */
+.rights-editor > .ui-tabs-panel {
+    position: static;
+    float: right;
+.rights-editor .ui-tabs-panel {
+    padding: 2px;
+.rights-editor .ui-tabs-panel h3 {
+    margin-top: 0;
+.rights-editor ul.rights-list {
+    list-style: none;

commit b9634f3074184c00c22301b9ba720877cc5b02e7
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Mon Aug 30 11:59:33 2010 -0400

    ProcessACLChanges now expects values from a series of checkboxes
    This breaks the old SelectRights element, but makes it work for the new
    rights editor.
    It now expects form inputs with names like
    SetRights-PrincipalId-ObjType-ObjId instead of Grant/RevokeRight.  Each
    input should be an array listing the rights the principal should have,
    and ProcessACLChanges will modify the current rights to match.
    Additionally, the previously unused CheckACL input listing
    PrincipalId-ObjType-ObjId is now used to catch cases when all the rights
    are removed from a principal and no SetRights input is submitted.

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 90e3f3f..5515211 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1367,25 +1367,30 @@ sub ParseDateToISO {
 sub ProcessACLChanges {
     my $ARGSref = shift;
+    my (%state, @results);
     #XXX: why don't we get ARGSref like in other Process* subs?
-    my @results;
+    my $CheckACL = $ARGSref->{'CheckACL'};
+    my @check = grep { defined } (ref $CheckACL eq 'ARRAY' ? @$CheckACL : $CheckACL);
+    # Build our rights state for each Principal-Object tuple
     foreach my $arg ( keys %$ARGSref ) {
-        next unless ( $arg =~ /^(GrantRight|RevokeRight)-(\d+)-(.+?)-(\d+)$/ );
-        my ( $method, $principal_id, $object_type, $object_id ) = ( $1, $2, $3, $4 );
+        next unless $arg =~ /^SetRights-(\d+-.+?-\d+)$/;
-        my @rights;
-        if ( UNIVERSAL::isa( $ARGSref->{$arg}, 'ARRAY' ) ) {
-            @rights = @{ $ARGSref->{$arg} };
-        } else {
-            @rights = $ARGSref->{$arg};
-        }
-        @rights = grep $_, @rights;
+        my $tuple  = $1;
+        my $value  = $ARGSref->{$arg};
+        my @rights = grep { $_ } (ref $value eq 'ARRAY' ? @$value : $value);
         next unless @rights;
+        $state{$tuple} = { map { $_ => 1 } @rights };
+    }
+    foreach my $tuple (@check) {
+        next unless $tuple =~ /^(\d+)-(.+?)-(\d+)$/;
+        my ( $principal_id, $object_type, $object_id ) = ( $1, $2, $3 );
         my $principal = RT::Principal->new( $session{'CurrentUser'} );
@@ -1405,9 +1410,35 @@ sub ProcessACLChanges {
-        foreach my $right (@rights) {
-            my ( $val, $msg ) = $principal->$method( Object => $obj, Right => $right );
-            push( @results, $msg );
+        my $acls = RT::ACL->new($session{'CurrentUser'});
+        $acls->LimitToObject( $obj );
+        $acls->LimitToPrincipal( Id => $principal_id );
+        while ( my $ace = $acls->Next ) {
+            my $right = $ace->RightName;
+            # Has right and should have right
+            next if delete $state{$tuple}->{$right};
+            # Has right and shouldn't have right
+            my ($val, $msg) = $principal->RevokeRight( Object => $obj, Right => $right );
+            push @results, $msg;
+        }
+        # For everything left, they don't have the right but they should
+        for my $right (keys %{ $state{$tuple} || {} }) {
+            delete $state{$tuple}->{$right};
+            my ($val, $msg) = $principal->GrantRight( Object => $obj, Right => $right );
+            push @results, $msg;
+        }
+        # Check our state for leftovers
+        if ( keys %{ $state{$tuple} || {} } ) {
+            my $missed = join '|', %{$state{$tuple} || {}};
+            $RT::Logger->warn(
+               "Uh-oh, it looks like we somehow missed a right in "
+              ."ProcessACLChanges.  Here's what was leftover: $missed"
+            );
diff --git a/share/html/Admin/Elements/EditRights b/share/html/Admin/Elements/EditRights
index 25d5586..21d0434 100644
--- a/share/html/Admin/Elements/EditRights
+++ b/share/html/Admin/Elements/EditRights
@@ -71,22 +71,24 @@ for my $category (@$Principals) {
         my $id = "acl-$name-" . $obj->PrincipalId;
         $id =~ s/[^a-zA-Z0-9\-]/_/g;
   <div id="<% $id %>">
     <h3>Rights for <% $loc ? loc($display) : $display %></h3>
     <ul class="rights-list">
 % for my $right (keys %available_rights) {
         <input type="checkbox" class="checkbox"
-               name="GrantRight-<% $acldesc %>"
-               id="GrantRight-<% $acldesc %>-<% $right %>"
+               name="SetRights-<% $acldesc %>"
+               id="SetRights-<% $acldesc %>-<% $right %>"
                value="<% $right %>"
                <% $current_rights{$obj->PrincipalId}->{$right} ? 'checked' : '' %> />
-        <label for="GrantRight-<% $acldesc %>-<% $right %>">
+        <label for="SetRights-<% $acldesc %>-<% $right %>">
           <% loc($available_rights{$right}) %>
 % }
+    <input type="hidden" name="CheckACL" value="<% $acldesc %>" />

commit 8e85e99d08dff694ee166b539d6f3dcb29e1033e
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Mon Aug 30 13:50:26 2010 -0400

    Replace SelectRights everywhere with the new rights editor
    This introduces GetPrincipalsMap() which consolidates a lot of common
    principal collection creation.

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 5515211..9bbee7a 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -2129,6 +2129,58 @@ sub ProcessColumnMapValue {
     return $value;
+=head2 GetPrincipalsMap OBJECT, CATEGORIES
+Returns an array suitable for passing to /Admin/Elements/EditRights with the
+principal collections mapped from the categories given.
+sub GetPrincipalsMap {
+    my $object = shift;
+    my @map;
+    for (@_) {
+        if (/System/) {
+            my $system = RT::Groups->new($session{'CurrentUser'});
+            $system->LimitToSystemInternalGroups();
+            push @map, ['System' => $system => 'Type' => 1];
+        }
+        elsif (/Groups/) {
+            my $groups = RT::Groups->new($session{'CurrentUser'});
+            $groups->LimitToUserDefinedGroups();
+            # XXX TODO: only find those user groups with rights granted
+            push @map, ['User Groups' => $groups => 'Name' => 0];
+        }
+        elsif (/Roles/) {
+            my $roles = RT::Groups->new($session{'CurrentUser'});
+            if ($object->isa('RT::System')) {
+                $roles->LimitToRolesForSystem();
+            }
+            elsif ($object->isa('RT::Queue')) {
+                $roles->LimitToRolesForQueue($object->Id);
+            }
+            else {
+                $RT::Logger->warn("Skipping unknown object type ($object) for Role principals");
+                next;
+            }
+            push @map, ['Roles' => $roles => 'Type' => 1];
+        }
+        elsif (/Users/) {
+            my $Privileged = RT::Group->new($session{'CurrentUser'});
+            $Privileged->LoadSystemInternalGroup('Privileged');
+            my $Users = $Privileged->UserMembersObj();
+            $Users->OrderBy( FIELD => 'Name', ORDER => 'ASC' );
+            my $display = sub {
+                $m->scomp('/Elements/ShowUser', User => $_[0], NoEscape => 1)
+            };
+            push @map, ['Users' => $Users => $display => 0];
+        }
+    }
+    return @map;
 =head2 _load_container_object ( $type, $id );
 Instantiate container object for saving searches.
diff --git a/share/html/Admin/CustomFields/GroupRights.html b/share/html/Admin/CustomFields/GroupRights.html
index 9bb972e..0a31ea7 100644
--- a/share/html/Admin/CustomFields/GroupRights.html
+++ b/share/html/Admin/CustomFields/GroupRights.html
@@ -55,45 +55,11 @@
   <form method="post" action="GroupRights.html">
     <input type="hidden" class="hidden" name="id" value="<% $CustomFieldObj->id %>" />
-<h1><&|/l&>System groups</&></h1>
-% my $Groups = RT::Groups->new($session{'CurrentUser'});
-% $Groups->LimitToSystemInternalGroups();
-%	while (my $Group = $Groups->Next()) {
-  <tr align="right"> 
-	<td valign="top">
-	    <% loc($Group->Type) %>
-		  </td>
-	  <td>
-	    <& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
-        Object => $CustomFieldObj  &>
-	  </td>
-	</tr>
-% }
-<h1><&|/l&>User defined groups</&></h1>
-% $Groups = RT::Groups->new($session{'CurrentUser'});
-% $Groups->LimitToUserDefinedGroups();    
-%	while (my $Group = $Groups->Next()) {
-  <tr align="right"> 
-	<td valign="top">
-	    <% $Group->Name %>
-		  </td>
-	  <td>
-	    <& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
-        Object => $CustomFieldObj  &>
-	  </td>
-	</tr>
-% }
-      <& /Elements/Submit, Caption => loc("Be sure to save your changes"), Reset => 1 &>
+    <& /Admin/Elements/EditRights, Context => $CustomFieldObj, Principals => \@principals &>
+    <& /Elements/Submit, Caption => loc("Be sure to save your changes"), Reset => 1 &>
 if (!defined $id) {
@@ -106,7 +72,9 @@ $CustomFieldObj->Load($id) || $m->comp("/Elements/Error", Why => loc("Couldn't l
 my @results = ProcessACLChanges( \%ARGS );
 my $title = loc('Modify group rights for custom field [_1]', $CustomFieldObj->Name);
+# Principal collections
+my @principals = GetPrincipalsMap($CustomFieldObj, qw(System Groups));
diff --git a/share/html/Admin/CustomFields/UserRights.html b/share/html/Admin/CustomFields/UserRights.html
index 2d9bc9f..b2c9d67 100644
--- a/share/html/Admin/CustomFields/UserRights.html
+++ b/share/html/Admin/CustomFields/UserRights.html
@@ -53,37 +53,13 @@ Title => $title, &>
   <form method="post" action="UserRights.html">
     <input type="hidden" class="hidden" name="id" value="<% $CustomFieldObj->id %>" />
-%	while (my $Member = $Users->Next()) {
-% my $UserObj = $Member->MemberObj->Object();
-% my $group = RT::Group->new($session{'CurrentUser'});
-% $group->LoadACLEquivalenceGroup($Member->MemberObj);
-  <tr align="right"> 
-	<td valign="top"><& /Elements/ShowUser, User => $UserObj &></td>
-	  <td>
-	    <& /Admin/Elements/SelectRights, PrincipalId=> $group->PrincipalId,
-        Object => $CustomFieldObj  &>
-	  </td>
-	</tr>
-% }
-      </table>
-      <& /Elements/Submit, Caption => loc("Be sure to save your changes"), Reset => 1 &>
+    <& /Admin/Elements/EditRights, Context => $CustomFieldObj, Principals => \@principals &>
+    <& /Elements/Submit, Caption => loc("Be sure to save your changes"), Reset => 1 &>
-#Update the acls.
+# Update the acls.
 my @results = ProcessACLChanges( \%ARGS );
-# {{{ Deal with setting up the display of current rights.
 if (!defined $id) {
     $m->comp("/Elements/Error", Why => loc("No Class defined"));
@@ -91,20 +67,12 @@ if (!defined $id) {
 my $CustomFieldObj = RT::CustomField->new($session{'CurrentUser'});
 $CustomFieldObj->Load($id) || $m->comp("/Elements/Error", Why => loc("Couldn't load Class [_1]",$id));
-# Find out which users we want to display ACL selects for
-my $Privileged = RT::Group->new($session{'CurrentUser'});
-my $Users = $Privileged->MembersObj();
 my $title = loc('Modify user rights for custom field [_1]', $CustomFieldObj->Name);
-# }}}
+# Principal collections
+my @principals = GetPrincipalsMap($CustomFieldObj, qw(Users));
 $id => undef
-$UserString => undef
-$UserOp => undef
-$UserField => undef
diff --git a/share/html/Admin/Elements/SelectRights b/share/html/Admin/Elements/SelectRights
deleted file mode 100755
index c5fe015..0000000
--- a/share/html/Admin/Elements/SelectRights
+++ /dev/null
@@ -1,121 +0,0 @@
-<input type="hidden" class="hidden" name="CheckACL"  value="<%$ACLDesc%>" />
-     <table border="0">
-<td valign="top" width="180" align="left">
-my %current_rights;
-my @pairs;
-while ( my $ace = $ACLObj->Next ) {
-    my $right = $ace->RightName;
-    $current_rights{ $right } = 1;
-    push @pairs, [$right, loc($right)];
- at pairs = sort { $a->[1] cmp $b->[1] } @pairs;
-<h3><&|/l&>Current rights</&></h3>
-% unless ( @pairs ) {
-<i><&|/l&>No rights granted.</&></i> <br />
-% } else {
-<i>(<&|/l&>Check box to revoke right</&>)</i><br />
-% foreach my $pair ( @pairs ) {
-<input type="checkbox" class="checkbox" value="<% $pair->[0] %>" name="RevokeRight-<% $ACLDesc %>" />&nbsp;<% $pair->[1] %><br />
-% } }
-<td valign="top">
-<h3><&|/l&>New rights</&></h3> 
-<select size="5" multiple="multiple" name="GrantRight-<%$ACLDesc%>">
-% foreach my $pair (sort { $a->[1] cmp $b->[1] } map [$_, loc($_)], grep !$current_rights{$_}, keys %Rights) {
-      <option value="<% $pair->[0] %>" title="<% loc($Rights{$pair->[0]}) %>"><% $pair->[1] %></option>
-% }
-<option value="" selected="selected"><&|/l&>(no value)</&></option>
-    my ($ACLDesc, $AppliesTo, %Rights);
-    # if the principal id points to a user, we really want to point
-    # to their ACL equivalence group. The machinations we're going through
-    # lead me to start to suspect that we really want users and groups
-    # to just be the same table. or _maybe_ that we want an object db.
-    my $princ = RT::Principal->new($RT::SystemUser);
-    $princ->Load($PrincipalId);
-    if ($princ->PrincipalType eq 'User') {
-    my $group = RT::Group->new($RT::SystemUser);
-        $group->LoadACLEquivalenceGroup($princ);
-        $PrincipalId = $group->PrincipalId;
-    }
-    my $ACLObj = RT::ACL->new($session{'CurrentUser'});
-    my $ACE = RT::ACE->new($session{'CurrentUser'});
-    $ACLObj->LimitToObject( $Object);
-    $ACLObj->LimitToPrincipal( Id => $PrincipalId);
-    $ACLObj->OrderBy(FIELD=>'RightName'); 
-    if (ref($Object) && UNIVERSAL::can($Object, 'AvailableRights')) { 
-        %Rights = %{$Object->AvailableRights};
-    } 
-        else {
-                %Rights = ( loc('System Error') => loc("No rights found") );
-        }
-    $ACLDesc = "$PrincipalId-".ref($Object)."-".$Object->Id;
-$PrincipalType => undef
-$PrincipalId => undef
-$Object =>undef
diff --git a/share/html/Admin/Global/GroupRights.html b/share/html/Admin/Global/GroupRights.html
index c9daf13..31941e9 100755
--- a/share/html/Admin/Global/GroupRights.html
+++ b/share/html/Admin/Global/GroupRights.html
@@ -51,73 +51,17 @@
     Title => loc('Modify global group rights') &>  
 <& /Elements/ListActions, actions => \@results &>
-  <form method="post" action="GroupRights.html">
-<&| /Widgets/TitleBox, title => loc('Modify global group rights.')&>
-<h1><&|/l&>System groups</&></h1>
-% $Groups = RT::Groups->new($session{'CurrentUser'});
-% $Groups->LimitToSystemInternalGroups();
-%	while (my $Group = $Groups->Next()) {
-  <tr align="right"> 
-	<td valign="top">
-	    <% loc($Group->Type) %>
-		  </td>
-	  <td>
-	    <& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
-        Object  =>$RT::System &>
-	  </td>
-	</tr>
-% }
-% $Groups = RT::Groups->new($session{'CurrentUser'});
-% $Groups->LimitToRolesForSystem();
-%	while (my $Group = $Groups->Next()) {
-  <tr align="right"> 
-	<td valign="top">
-	    <% loc($Group->Type) %>
-		  </td>
-	  <td>
-	    <& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
-        Object  => $RT::System &>
-	  </td>
-	</tr>
-% }
-<h1><&|/l&>User defined groups</&></h1>
-% $Groups = RT::Groups->new($session{'CurrentUser'});
-% $Groups->LimitToUserDefinedGroups();    
-%	while (my $Group = $Groups->Next()) {
-  <tr align="right"> 
-	<td valign="top">
-	    <% $Group->Name %>
-		  </td>
-	  <td>
-	    <& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
-        Object  => $RT::System &>
-	  </td>
-	</tr>
-% }
-      </&>
-      <& /Elements/Submit, Label => loc('Modify Group Rights'), Reset => 1 &>
-  </form>
+<form method="post" action="GroupRights.html">
+  <& /Admin/Elements/EditRights, Context => $RT::System, Principals => \@principals &>
+  <& /Elements/Submit, Label => loc('Modify Group Rights'), Reset => 1 &>
-  #Update the acls.
-  my @results =  ProcessACLChanges(\%ARGS);
+# Update the acls.
+my @results = ProcessACLChanges(\%ARGS);
-my $Groups;
+# Principal collections
+my @principals = GetPrincipalsMap($RT::System, qw(System Roles Groups));
diff --git a/share/html/Admin/Global/UserRights.html b/share/html/Admin/Global/UserRights.html
index 2242774..ac2a42c 100755
--- a/share/html/Admin/Global/UserRights.html
+++ b/share/html/Admin/Global/UserRights.html
@@ -51,49 +51,12 @@
     Title => loc('Modify global user rights') &>  
 <& /Elements/ListActions, actions => \@results &>
-  <form method="post" action="UserRights.html">
-<&| /Widgets/TitleBox, title => loc('Modify global user rights.') &>
-% while ( my $UserObj = $Users->Next ) {
-% my $group = RT::Group->new($session{'CurrentUser'});
-% $group->LoadACLEquivalenceGroup( $UserObj );
-  <tr align="right">
-	<td valign="top"><& /Elements/ShowUser, User => $UserObj &></td>
-	<td><& /Admin/Elements/SelectRights,
-        PrincipalId => $group->PrincipalId,
-        Object => $RT::System,
-    &></td>
-  </tr>
-% }
-<& /Elements/Submit, Label => loc('Modify User Rights'), Reset => 1 &>
+<form method="post" action="UserRights.html">
+  <& /Admin/Elements/EditRights, Context => $RT::System, Principals => \@principals &>
+  <& /Elements/Submit, Label => loc('Modify User Rights'), Reset => 1 &>
-  #Update the acls.
-  my @results =  ProcessACLChanges(\%ARGS);
-# {{{ Deal with setting up the display of current rights.
-# Find out which users we want to display ACL selects for
-my $Privileged = RT::Group->new($session{'CurrentUser'});
-my $Users = $Privileged->UserMembersObj();
-$Users->OrderBy( FIELD => $UserOrderBy, ORDER => $UserOrder );
-# }}}
+# Update the acls.
+my @results = ProcessACLChanges(\%ARGS);
+my @principals = GetPrincipalsMap($RT::System, 'Users');
-$UserOrderBy => 'Name'
-$UserOrder => 'ASC'
diff --git a/share/html/Admin/Groups/GroupRights.html b/share/html/Admin/Groups/GroupRights.html
index df834a8..4311ee4 100755
--- a/share/html/Admin/Groups/GroupRights.html
+++ b/share/html/Admin/Groups/GroupRights.html
@@ -54,54 +54,12 @@
   <form method="post" action="GroupRights.html">
     <input type="hidden" class="hidden" name="id" value="<% $GroupObj->id %>" />
-<&| /Widgets/TitleBox, title => loc('Modify group rights for group [_1]', $GroupObj->Name) &>
-<h1><&|/l&>System groups</&></h1>
-% $Groups = RT::Groups->new($session{'CurrentUser'});
-% $Groups->LimitToSystemInternalGroups();
-%	while (my $Group = $Groups->Next()) {
-  <tr align="right"> 
-	<td valign="top">
-	    <% loc($Group->Type) %>
-		  </td>
-	  <td>
-	    <& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
-        PrincipalType => 'Group',
-        Object => $GroupObj  &>
-	  </td>
-	</tr>
-% }
-<h1><&|/l&>User defined groups</&></h1>
-% $Groups = RT::Groups->new($session{'CurrentUser'});
-% $Groups->LimitToUserDefinedGroups();    
-%	while (my $Group = $Groups->Next()) {
-  <tr align="right"> 
-	<td valign="top">
-	    <% $Group->Name %>
-		  </td>
-	  <td>
-	    <& /Admin/Elements/SelectRights, PrincipalId => $Group->PrincipalId,
-        PrincipalType => 'Group',
-        Object => $GroupObj  &>
-	  </td>
-	</tr>
-% }
-      </&>
-      <& /Elements/Submit, Label => loc('Modify Group Rights'), Reset => 1 &>
+    <& /Admin/Elements/EditRights, Context => $GroupObj, Principals => \@principals &>
+    <& /Elements/Submit, Label => loc('Modify Group Rights'), Reset => 1 &>
-  #Update the acls.
-  my @results =  ProcessACLChanges(\%ARGS);
+# Update the acls.
+my @results = ProcessACLChanges(\%ARGS);
 if (!defined $id) {
     Abort(loc("No Group defined"));
@@ -110,8 +68,7 @@ if (!defined $id) {
 my $GroupObj = RT::Group->new($session{'CurrentUser'});
 $GroupObj->Load($id) || Abort(loc("Couldn't load group [_1]",$id));
-my $Groups;
+my @principals = GetPrincipalsMap($GroupObj, 'System', 'User Groups');
diff --git a/share/html/Admin/Groups/UserRights.html b/share/html/Admin/Groups/UserRights.html
index e930fef..31dae23 100755
--- a/share/html/Admin/Groups/UserRights.html
+++ b/share/html/Admin/Groups/UserRights.html
@@ -54,41 +54,13 @@
   <form method="post" action="UserRights.html">
     <input type="hidden" class="hidden" name="id" value="<% $GroupObj->id %>" />
-<&| /Widgets/TitleBox, title => loc('Modify user rights for group [_1]', $GroupObj->Name) &>
-% while ( my $Member = $Users->Next ) {
-% my $UserObj = $Member->MemberObj->Object;
-  <tr align="right">
-      <td valign="top">
-          <a href="<% RT->Config->Get('WebPath') %>/Admin/Users/Modify.html?id=<% $UserObj->id %>">
-              <& /Elements/ShowUser, User => $UserObj &>
-          </a>
-      </td>
-    <td><& /Admin/Elements/SelectRights,
-        PrincipalId => $Member->MemberObj->Id,
-        PrincipalType => 'User',
-        Object => $GroupObj,
-    &></td>
-  </tr>
-% }
-<& /Elements/Submit, Label => loc('Modify User Rights'), Reset => 1 &>
+    <& /Admin/Elements/EditRights, Context => $GroupObj, Principals => \@principals &>
+    <& /Elements/Submit, Label => loc('Modify User Rights'), Reset => 1 &>
+  </form>
-  #Update the acls.
-  my @results =  ProcessACLChanges(\%ARGS);
-# {{{ Deal with setting up the display of current rights.
-#Define vars used in html above
+# Update the acls.
+my @results = ProcessACLChanges(\%ARGS);
 if (!defined $id) {
     Abort(loc("No Group defined"));
@@ -97,20 +69,9 @@ if (!defined $id) {
 my $GroupObj = RT::Group->new($session{'CurrentUser'});
 $GroupObj->Load($id) || Abort(loc("Couldn't load group [_1]",$id));
-# Find out which users we want to display ACL selects for
-my $Privileged = RT::Group->new($session{'CurrentUser'});
-my $Users = $Privileged->MembersObj();
-# }}}
+my @principals = GetPrincipalsMap($GroupObj, 'Users');
 $id => undef
-$UserString => undef
-$UserOp => undef
-$UserField => undef
diff --git a/share/html/Admin/Queues/GroupRights.html b/share/html/Admin/Queues/GroupRights.html
index 2f5824f..4daa61d 100755
--- a/share/html/Admin/Queues/GroupRights.html
+++ b/share/html/Admin/Queues/GroupRights.html
@@ -55,8 +55,7 @@
 <form method="post" action="GroupRights.html">
   <input type="hidden" class="hidden" name="id" value="<% $QueueObj->id %>" />
-%# XXX TODO: this was just after the opening table tag, put it somewhere reasonable    
-% $m->callback( %ARGS, QueueObj => $QueueObj, results => \@results );
+% $m->callback( %ARGS, QueueObj => $QueueObj, results => \@results, principals => \@principals );
   <& /Admin/Elements/EditRights, Context => $QueueObj, Principals => \@principals &>
@@ -65,7 +64,7 @@
 # Update the acls.
-my @results =  ProcessACLChanges(\%ARGS);
+my @results = ProcessACLChanges(\%ARGS);
 if (!defined $id) {
     Abort(loc("No Queue defined"));
@@ -77,22 +76,7 @@ $QueueObj->Load($id) || Abort(loc("Couldn't load queue [_1]",$id));
 my $current_tab = 'Admin/Queues/GroupRights.html?id='.$QueueObj->id;
 # Principal collections
-my $system = RT::Groups->new($session{'CurrentUser'});
-my $roles = RT::Groups->new($session{'CurrentUser'});
-my $groups = RT::Groups->new($session{'CurrentUser'});
-# XXX TODO: only find those user groups with rights granted
-my @principals = (
-    # Category        collection   column    loc?
-    ['System'      => $system   => 'Type' => 1],
-    ['Roles'       => $roles    => 'Type' => 1],
-    ['User Groups' => $groups   => 'Name' => 0],
+my @principals = GetPrincipalsMap($QueueObj, qw(System Roles Groups));
 $id => undef
diff --git a/share/html/Admin/Queues/UserRights.html b/share/html/Admin/Queues/UserRights.html
index 757991f..75c3f9a 100755
--- a/share/html/Admin/Queues/UserRights.html
+++ b/share/html/Admin/Queues/UserRights.html
@@ -75,15 +75,7 @@ if (!defined $id) {
 my $QueueObj = RT::Queue->new($session{'CurrentUser'});
 $QueueObj->Load($id) || Abort(loc("Couldn't load queue [_1]",$id));
-# Find out which users we want to display ACLs for
-my $Privileged = RT::Group->new($session{'CurrentUser'});
-my $Users = $Privileged->UserMembersObj();
-my $display = sub {
-    $m->scomp('/Elements/ShowUser', User => $_[0], NoEscape => 1)
-my @principals = (['Users' => $Users => $display => 0]);
+my @principals = GetPrincipalsMap($QueueObj, 'Users');
 my $current_tab = 'Admin/Queues/UserRights.html?id='.$QueueObj->id;

commit 71928032bf0ac78b9a139b0a163b3af901287e28
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Mon Aug 30 15:36:05 2010 -0400

    Limit users and groups to those currently granted rights
    Also add order by clauses to all the queries for consistency

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 9bbee7a..780b85e 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -2143,12 +2143,21 @@ sub GetPrincipalsMap {
         if (/System/) {
             my $system = RT::Groups->new($session{'CurrentUser'});
+            $system->OrderBy( FIELD => 'Type', ORDER => 'ASC' );
             push @map, ['System' => $system => 'Type' => 1];
         elsif (/Groups/) {
             my $groups = RT::Groups->new($session{'CurrentUser'});
-            # XXX TODO: only find those user groups with rights granted
+            $groups->OrderBy( FIELD => 'Name', ORDER => 'ASC' );
+            # Only show groups who have rights granted on this object
+            $groups->WithGroupRight(
+                Right   => '',
+                Object  => $object,
+                IncludeSystemRights => 0
+            );
             push @map, ['User Groups' => $groups => 'Name' => 0];
         elsif (/Roles/) {
@@ -2164,6 +2173,7 @@ sub GetPrincipalsMap {
                 $RT::Logger->warn("Skipping unknown object type ($object) for Role principals");
+            $roles->OrderBy( FIELD => 'Type', ORDER => 'ASC' );
             push @map, ['Roles' => $roles => 'Type' => 1];
         elsif (/Users/) {
@@ -2172,6 +2182,13 @@ sub GetPrincipalsMap {
             my $Users = $Privileged->UserMembersObj();
             $Users->OrderBy( FIELD => 'Name', ORDER => 'ASC' );
+            # Only show users who have rights granted on this object
+            $Users->WhoHaveGroupRight(
+                Right   => '',
+                Object  => $object,
+                IncludeSystemRights => 0
+            );
             my $display = sub {
                 $m->scomp('/Elements/ShowUser', User => $_[0], NoEscape => 1)

commit 6d74fdb24706cc53fd5367f9d084d1bfcf77433c
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Mon Aug 30 15:40:40 2010 -0400

    Sort by right name and make it a tooltip for reference

diff --git a/share/html/Admin/Elements/EditRights b/share/html/Admin/Elements/EditRights
index 21d0434..dc9839b 100644
--- a/share/html/Admin/Elements/EditRights
+++ b/share/html/Admin/Elements/EditRights
@@ -53,7 +53,6 @@ for my $collection (map { $_->[1] } @$Principals) {
         my $acls = RT::ACL->new($session{'CurrentUser'});
         $acls->LimitToObject( $Context );
         $acls->LimitToPrincipal( Id => $group->PrincipalId );
-        $acls->OrderBy( FIELD => 'RightName' ); 
         while ( my $ace = $acls->Next ) {
             my $right = $ace->RightName;
@@ -75,14 +74,14 @@ for my $category (@$Principals) {
   <div id="<% $id %>">
     <h3>Rights for <% $loc ? loc($display) : $display %></h3>
     <ul class="rights-list">
-% for my $right (keys %available_rights) {
+% for my $right (sort keys %available_rights) {
         <input type="checkbox" class="checkbox"
                name="SetRights-<% $acldesc %>"
                id="SetRights-<% $acldesc %>-<% $right %>"
                value="<% $right %>"
                <% $current_rights{$obj->PrincipalId}->{$right} ? 'checked' : '' %> />
-        <label for="SetRights-<% $acldesc %>-<% $right %>">
+        <label for="SetRights-<% $acldesc %>-<% $right %>" title="<% $right %>">
           <% loc($available_rights{$right}) %>

commit a2f018cba22512c4bc22930446d557f5de2c6d4e
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Mon Aug 30 17:25:30 2010 -0400

    Fix principal map group name

diff --git a/share/html/Admin/Groups/GroupRights.html b/share/html/Admin/Groups/GroupRights.html
index 4311ee4..68382e9 100755
--- a/share/html/Admin/Groups/GroupRights.html
+++ b/share/html/Admin/Groups/GroupRights.html
@@ -68,7 +68,7 @@ if (!defined $id) {
 my $GroupObj = RT::Group->new($session{'CurrentUser'});
 $GroupObj->Load($id) || Abort(loc("Couldn't load group [_1]",$id));
-my @principals = GetPrincipalsMap($GroupObj, 'System', 'User Groups');
+my @principals = GetPrincipalsMap($GroupObj, 'System', 'Groups');

commit d4b552a6c5415ade24c68a0cecffb8f527c3bfdc
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Mon Aug 30 17:26:13 2010 -0400

    Basic framework for adding rights to a new principal (users, groups)
    This ability is required since now we only show users/groups with rights
    Left todo for this feature: group autocomplete and actual handling in
    ProcessACLChanges.  User autocomplete should be restricted to

diff --git a/share/html/Admin/Elements/EditRights b/share/html/Admin/Elements/EditRights
index dc9839b..8fb5bf0 100644
--- a/share/html/Admin/Elements/EditRights
+++ b/share/html/Admin/Elements/EditRights
@@ -1,9 +1,20 @@
+$AddPrincipal => undef
 use Scalar::Util qw(blessed);
+unless ( $AddPrincipal ) {
+    my $last = $Principals->[-1];
+    if ( $last->[0] =~ /Groups/i ) {
+        $AddPrincipal = 'group';
+    }
+    elsif ( $last->[0] =~ /Users/i ) {
+        $AddPrincipal = 'user';
+    }
 %# Principals is an array of arrays, where the inner arrays are like:
 %#      [ 'Category name' => $CollectionObj => 'DisplayColumn' => 1 ]
@@ -34,6 +45,16 @@ for my $category (@$Principals) {
+% if ( $AddPrincipal ) {
+    <li class="category"><&|/l&>Add</&> <% loc($AddPrincipal) %></li>
+    <li>
+      <a href="#acl-addprincipal">
+        <input type="text" value=""
+               name="AddPrincipalForRights-<% lc $AddPrincipal %>"
+               id="AddPrincipalForRights-<% lc $AddPrincipal %>" />
+      </a>
+    </li>
+% }
@@ -72,7 +93,7 @@ for my $category (@$Principals) {
   <div id="<% $id %>">
-    <h3>Rights for <% $loc ? loc($display) : $display %></h3>
+    <h3><&|/l&>Rights for</&> <% $loc ? loc($display) : $display %></h3>
     <ul class="rights-list">
 % for my $right (sort keys %available_rights) {
@@ -92,5 +113,25 @@ for my $category (@$Principals) {
+if ( $AddPrincipal ) {
+    my $acldesc = join '-', 'addprincipal', ref($Context), $Context->Id;
+  <div id="acl-addprincipal">
+    <h3><&|/l&>Add rights for this</&> <% loc($AddPrincipal) %></h3>
+    <ul class="rights-list">
+% for my $right (sort keys %available_rights) {
+      <li>
+        <input type="checkbox" class="checkbox"
+               name="SetRights-<% $acldesc %>"
+               id="SetRights-<% $acldesc %>-<% $right %>"
+               value="<% $right %>" />
+        <label for="SetRights-<% $acldesc %>-<% $right %>" title="<% $right %>">
+          <% loc($available_rights{$right}) %>
+        </label>
+      </li>
+% }
+    </ul>
+  </div>
+% }
diff --git a/share/html/NoAuth/js/userautocomplete.js b/share/html/NoAuth/js/userautocomplete.js
index b296d0c..8944f5c 100644
--- a/share/html/NoAuth/js/userautocomplete.js
+++ b/share/html/NoAuth/js/userautocomplete.js
@@ -3,7 +3,7 @@ jQuery(function() {
     var multipleCompletion = new Array("Requestors", "To", "Bcc", "Cc", "AdminCc", "WatcherAddressEmail[123]", "UpdateCc", "UpdateBcc");
     // inputs with only a single email address allowed
-    var singleCompletion   = new Array("(Add|Delete)Requestor", "(Add|Delete)Cc", "(Add|Delete)AdminCc");
+    var singleCompletion   = new Array("(Add|Delete)Requestor", "(Add|Delete)Cc", "(Add|Delete)AdminCc", "AddPrincipalForRights-user");
     // build up the regexps we'll use to match
     var applyto  = new RegExp('^(' + multipleCompletion.concat(singleCompletion).join('|') + ')$');

commit 8e43a69bfd68427766376a3682c902f198e7161b
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Thu Sep 2 12:23:43 2010 -0400

    Only autocomplete privileged users for the rights editor

diff --git a/share/html/Helpers/Autocomplete/Users b/share/html/Helpers/Autocomplete/Users
index b4046a5..5aecf07 100644
--- a/share/html/Helpers/Autocomplete/Users
+++ b/share/html/Helpers/Autocomplete/Users
@@ -53,6 +53,7 @@ $return => ''
 $term => undef
 $delim => undef
 $max => 10
+$privileged => undef
 require JSON;
@@ -89,6 +90,8 @@ my %fields = %{ RT->Config->Get('UserAutocompleteFields')
 my $users = RT::Users->new( $CurrentUser );
 $users->RowsPerPage( $max );
+$users->LimitToPrivileged() if $privileged;
 while (my ($name, $op) = each %fields) {
     $op = 'STARTSWITH'
         unless $op =~ /^(?:LIKE|(?:START|END)SWITH)$/i;
diff --git a/share/html/NoAuth/js/userautocomplete.js b/share/html/NoAuth/js/userautocomplete.js
index 8944f5c..a1a799f 100644
--- a/share/html/NoAuth/js/userautocomplete.js
+++ b/share/html/NoAuth/js/userautocomplete.js
@@ -3,11 +3,15 @@ jQuery(function() {
     var multipleCompletion = new Array("Requestors", "To", "Bcc", "Cc", "AdminCc", "WatcherAddressEmail[123]", "UpdateCc", "UpdateBcc");
     // inputs with only a single email address allowed
-    var singleCompletion   = new Array("(Add|Delete)Requestor", "(Add|Delete)Cc", "(Add|Delete)AdminCc", "AddPrincipalForRights-user");
+    var singleCompletion   = new Array("(Add|Delete)Requestor", "(Add|Delete)Cc", "(Add|Delete)AdminCc");
+    // inputs for only privileged users
+    var privilegedCompletion = new Array("AddPrincipalForRights-user");
     // build up the regexps we'll use to match
-    var applyto  = new RegExp('^(' + multipleCompletion.concat(singleCompletion).join('|') + ')$');
+    var applyto  = new RegExp('^(' + multipleCompletion.concat(singleCompletion, privilegedCompletion).join('|') + ')$');
     var acceptsMultiple = new RegExp('^(' + multipleCompletion.join('|') + ')$');
+    var onlyPrivileged = new RegExp('^(' + privilegedCompletion.join('|') + ')$');
     var inputs = document.getElementsByTagName("input");
@@ -22,8 +26,14 @@ jQuery(function() {
             source: "<% RT->Config->Get('WebPath')%>/Helpers/Autocomplete/Users"
+        var queryargs = [];
+        if (inputName.match(onlyPrivileged)) {
+            queryargs.push("privileged=1");
+        }
         if (inputName.match(acceptsMultiple)) {
-            options.source = options.source + "?delim=,";
+            queryargs.push("delim=,");
             options.focus = function () {
                 // prevent value inserted on focus
@@ -38,6 +48,10 @@ jQuery(function() {
                 return false;
+        if (queryargs.length)
+            options.source += "?" + queryargs.join("&");

commit b70294586642168f126bede4b3e715f55189e74a
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Thu Sep 2 13:27:21 2010 -0400

    Update ProcessACLChanges to deal with adding rights to new principals

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 780b85e..6d6014b 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1374,6 +1374,37 @@ sub ProcessACLChanges {
     my $CheckACL = $ARGSref->{'CheckACL'};
     my @check = grep { defined } (ref $CheckACL eq 'ARRAY' ? @$CheckACL : $CheckACL);
+    # Check if we want to grant rights to a previously rights-less user
+    for my $type (qw(user group)) {
+        my $key = "AddPrincipalForRights-$type";
+        next unless $ARGSref->{$key};
+        my $principal;
+        if ( $type eq 'user' ) {
+            $principal = RT::User->new( $session{'CurrentUser'} );
+            $principal->Load( $ARGSref->{$key} );
+        }
+        else {
+            $principal = RT::Group->new( $session{'CurrentUser'} );
+            $principal->LoadUserDefinedGroup( $ARGSref->{$key} );
+        }
+        unless ($principal->PrincipalId) {
+            push @results, loc("Couldn't load the specified principal");
+            next;
+        }
+        my $principal_id = $principal->PrincipalId;
+        # Turn our addprincipal rights spec into a real one
+        for my $arg (keys %$ARGSref) {
+            next unless $arg =~ /^SetRights-addprincipal-(.+?-\d+)$/;
+            $ARGSref->{"SetRights-$principal_id-$1"} = $ARGSref->{$arg};
+            push @check, "$principal_id-$1";
+        }
+    }
     # Build our rights state for each Principal-Object tuple
     foreach my $arg ( keys %$ARGSref ) {
         next unless $arg =~ /^SetRights-(\d+-.+?-\d+)$/;
diff --git a/share/html/NoAuth/js/userautocomplete.js b/share/html/NoAuth/js/userautocomplete.js
index a1a799f..cc74868 100644
--- a/share/html/NoAuth/js/userautocomplete.js
+++ b/share/html/NoAuth/js/userautocomplete.js
@@ -28,6 +28,9 @@ jQuery(function() {
         var queryargs = [];
+        if (inputName.match("AddPrincipalForRights-user"))
+            queryargs.push("return=Name");
         if (inputName.match(onlyPrivileged)) {

commit c688bf7e5765a7f3f7364b0e5f3daca80a271abf
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Thu Sep 2 13:27:55 2010 -0400

    Don't include subgroup members when finding user groups with rights

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 6d6014b..c20f675 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -2186,7 +2186,8 @@ sub GetPrincipalsMap {
                 Right   => '',
                 Object  => $object,
-                IncludeSystemRights => 0
+                IncludeSystemRights => 0,
+                IncludeSubgroupMembers => 0,
             push @map, ['User Groups' => $groups => 'Name' => 0];

commit 23162aa0f996c7d763a5e051f3c1e9c3c9796781
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Thu Sep 2 13:50:20 2010 -0400

    Add group autocomplete for the new rights editor

diff --git a/share/html/Admin/Elements/EditRights b/share/html/Admin/Elements/EditRights
index 8fb5bf0..0878f3b 100644
--- a/share/html/Admin/Elements/EditRights
+++ b/share/html/Admin/Elements/EditRights
@@ -6,6 +6,7 @@ $AddPrincipal => undef
 use Scalar::Util qw(blessed);
+# Try to detect if we want to include an add user/group box
 unless ( $AddPrincipal ) {
     my $last = $Principals->[-1];
     if ( $last->[0] =~ /Groups/i ) {
@@ -52,6 +53,13 @@ for my $category (@$Principals) {
         <input type="text" value=""
                name="AddPrincipalForRights-<% lc $AddPrincipal %>"
                id="AddPrincipalForRights-<% lc $AddPrincipal %>" />
+% if (lc $AddPrincipal eq 'group') {
+        <script type="text/javascript">
+            jQuery("#AddPrincipalForRights-<% lc $AddPrincipal %>").autocomplete({
+                source: "<% RT->Config->Get('WebPath')%>/Helpers/Autocomplete/Groups",
+            });
+        </script>
+% }
 % }
diff --git a/share/html/Helpers/Autocomplete/Groups b/share/html/Helpers/Autocomplete/Groups
new file mode 100644
index 0000000..0c932a7
--- /dev/null
+++ b/share/html/Helpers/Autocomplete/Groups
@@ -0,0 +1,80 @@
+<% JSON::to_json( \@suggestions ) |n %>
+% $m->abort;
+$term => undef
+$max => 10
+require JSON;
+$m->abort unless defined $term
+             and length $term;
+my $CurrentUser = $session{'CurrentUser'};
+# Require privileged users
+$m->abort unless $CurrentUser->Privileged;
+my $groups = RT::Groups->new( $CurrentUser );
+$groups->RowsPerPage( $max );
+    FIELD           => 'Name',
+    OPERATOR        => 'LIKE',
+    VALUE           => $term,
+my @suggestions;
+while ( my $group = $groups->Next ) {
+    push @suggestions, $group->Name;

commit ec2817c0918e961e3ea92c240a88d7fde3b4243f
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Thu Sep 2 17:05:45 2010 -0400

    Lump rights into 3 categories for display in the rights editor

diff --git a/lib/RT/CustomField_Overlay.pm b/lib/RT/CustomField_Overlay.pm
index d35b2a6..2cceb76 100755
--- a/lib/RT/CustomField_Overlay.pm
+++ b/lib/RT/CustomField_Overlay.pm
@@ -170,6 +170,13 @@ our $RIGHTS = {
     ModifyCustomField         => 'Add, delete and modify custom field values for objects' #loc_pair
+    SeeCustomField          => 'General',
+    AdminCustomField        => 'Admin',
+    AdminCustomFieldValues  => 'Admin',
+    ModifyCustomField       => 'Staff',
 # Tell RT::ACE that this sort of object can get acls granted
 $RT::ACE::OBJECT_TYPES{'RT::CustomField'} = 1;
@@ -195,6 +202,17 @@ sub AvailableRights {
     return $RIGHTS;
+=head2 RightCategories
+Returns a hashref where the keys are rights for this type of object and the
+values are the category (General, Staff, Admin) the right falls into.
+sub RightCategories {
+    return $RIGHT_CATEGORIES;
 =head1 NAME
   RT::CustomField_Overlay - overlay for RT::CustomField
diff --git a/lib/RT/Dashboard.pm b/lib/RT/Dashboard.pm
index 401933a..aa0f4fb 100644
--- a/lib/RT/Dashboard.pm
+++ b/lib/RT/Dashboard.pm
@@ -88,6 +88,19 @@ RT::System::AddRights(
     DeleteOwnDashboard => 'Delete personal dashboards', #loc_pair
+    SubscribeDashboard => 'Staff',
+    SeeDashboard       => 'General',
+    CreateDashboard    => 'Admin',
+    ModifyDashboard    => 'Admin',
+    DeleteDashboard    => 'Admin',
+    SeeOwnDashboard    => 'Staff',
+    CreateOwnDashboard => 'Staff',
+    ModifyOwnDashboard => 'Staff',
+    DeleteOwnDashboard => 'Staff',
 =head2 ObjectName
diff --git a/lib/RT/Group_Overlay.pm b/lib/RT/Group_Overlay.pm
index 12141f9..603fd35 100755
--- a/lib/RT/Group_Overlay.pm
+++ b/lib/RT/Group_Overlay.pm
@@ -81,7 +81,7 @@ use RT::GroupMembers;
 use RT::Principals;
 use RT::ACL;
-use vars qw/$RIGHTS/;
 $RIGHTS = {
     AdminGroup           => 'Modify group metadata or delete group',  # loc_pair
@@ -100,6 +100,20 @@ $RIGHTS = {
     DeleteGroupDashboard    => 'Delete dashboards for this group', #loc_pair
+    AdminGroup              => 'Admin',
+    AdminGroupMembership    => 'Admin',
+    DelegateRights          => 'Staff',
+    ModifyOwnMembership     => 'Staff',
+    EditSavedSearches       => 'Admin',
+    ShowSavedSearches       => 'Staff',
+    SeeGroup                => 'Staff',
+    SeeGroupDashboard       => 'Staff',
+    CreateGroupDashboard    => 'Admin',
+    ModifyGroupDashboard    => 'Admin',
+    DeleteGroupDashboard    => 'Admin',
 # Tell RT::ACE that this sort of object can get acls granted
 $RT::ACE::OBJECT_TYPES{'RT::Group'} = 1;
@@ -137,6 +151,17 @@ sub AvailableRights {
+=head2 RightCategories
+Returns a hashref where the keys are rights for this type of object and the
+values are the category (General, Staff, Admin) the right falls into.
+sub RightCategories {
+    return $RIGHT_CATEGORIES;
 # {{{ sub SelfDescription
diff --git a/lib/RT/Queue_Overlay.pm b/lib/RT/Queue_Overlay.pm
index cd039e8..cf655d0 100755
--- a/lib/RT/Queue_Overlay.pm
+++ b/lib/RT/Queue_Overlay.pm
@@ -119,6 +119,37 @@ our $RIGHTS = {
+    SeeQueue            => 'General',
+    AdminQueue          => 'Admin',
+    ShowACL             => 'Admin',
+    ModifyACL           => 'Admin',
+    ModifyQueueWatchers => 'Admin',
+    SeeCustomField      => 'General',
+    ModifyCustomField   => 'Staff',
+    AssignCustomFields  => 'Admin',
+    ModifyTemplate      => 'Admin',
+    ShowTemplate        => 'Admin',
+    ModifyScrips        => 'Admin',
+    ShowScrips          => 'Admin',
+    ShowTicket          => 'General',
+    ShowTicketComments  => 'Staff',
+    ShowOutgoingEmail   => 'Staff',
+    Watch               => 'General',
+    WatchAsAdminCc      => 'Staff',
+    CreateTicket        => 'General',
+    ReplyToTicket       => 'General',
+    CommentOnTicket     => 'General',
+    OwnTicket           => 'Admin',
+    ModifyTicket        => 'Staff',
+    ModifyTicketStatus  => 'Staff',
+    DeleteTicket        => 'Staff',
+    RejectTicket        => 'Staff',
+    TakeTicket          => 'Staff',
+    StealTicket         => 'Staff',
+    ForwardMessage      => 'Staff',
 # Tell RT::ACE that this sort of object can get acls granted
 $RT::ACE::OBJECT_TYPES{'RT::Queue'} = 1;
@@ -186,6 +217,18 @@ sub AvailableRights {
+=head2 RightCategories
+Returns a hashref where the keys are rights for this type of object and the
+values are the category (General, Staff, Admin) the right falls into.
+sub RightCategories {
+    return $RIGHT_CATEGORIES;
 # {{{ ActiveStatusArray
 sub lifecycle {
diff --git a/lib/RT/System.pm b/lib/RT/System.pm
index b5ee5c6..9280645 100755
--- a/lib/RT/System.pm
+++ b/lib/RT/System.pm
@@ -93,6 +93,21 @@ our $RIGHTS = {
     ExecuteCode => "allow writing Perl code in templates, scrips, etc", # loc_pair
+    SuperUser              => 'Admin',
+    AdminAllPersonalGroups => 'Admin',
+    AdminOwnPersonalGroups => 'Admin',
+    AdminUsers             => 'Admin',
+    ModifySelf             => 'Staff',
+    DelegateRights         => 'Admin',
+    ShowConfigTab          => 'Admin',
+    ShowApprovalsTab       => 'Admin',
+    ShowGlobalTemplates    => 'Staff',
+    LoadSavedSearch        => 'General',
+    CreateSavedSearch      => 'General',
+    ExecuteCode            => 'Admin',
 # Tell RT::ACE that this sort of object can get acls granted
 $RT::ACE::OBJECT_TYPES{'RT::System'} = 1;
@@ -131,6 +146,30 @@ sub AvailableRights {
+=head2 RightCategories
+Returns a hashref where the keys are rights for this type of object and the
+values are the category (General, Staff, Admin) the right falls into.
+sub RightCategories {
+    my $self = shift;
+    my $queue = RT::Queue->new($RT::SystemUser);
+    my $group = RT::Group->new($RT::SystemUser);
+    my $cf    = RT::CustomField->new($RT::SystemUser);
+    my $qr = $queue->RightCategories();
+    my $gr = $group->RightCategories();
+    my $cr = $cf->RightCategories();
+    # Build a merged list of all system wide rights, queue rights and group rights.
+    my %rights = (%{$RIGHT_CATEGORIES}, %{$gr}, %{$qr}, %{$cr});
+    return(\%rights);
 =head2 AddRights C<RIGHT>, C<DESCRIPTION> [, ...]
 Adds the given rights to the list of possible rights.  This method
@@ -146,6 +185,19 @@ sub AddRights {
                                       map { lc($_) => $_ } keys %new);
+=head2 AddRightCategories C<RIGHT>, C<CATEGORY> [, ...]
+Adds the given right and category pairs to the list of right categories.  This
+method should be called during server startup, not at runtime.
+sub AddRightCategories {
+    my $self = shift if ref $_[0] or $_[0] eq __PACKAGE__;
+    my %new = @_;
 sub _Init {
     my $self = shift;
     $self->SUPER::_Init (@_) if @_ && $_[0];
diff --git a/share/html/Admin/Elements/EditRights b/share/html/Admin/Elements/EditRights
index 0878f3b..85feff3 100644
--- a/share/html/Admin/Elements/EditRights
+++ b/share/html/Admin/Elements/EditRights
@@ -25,6 +25,7 @@ unless ( $AddPrincipal ) {
 <script type="text/javascript">
   jQuery(function() {
+      jQuery(".rights-editor .category-tabs").tabs();
@@ -66,15 +67,31 @@ for my $category (@$Principals) {
-# Find all our available rights
-my %available_rights;
+# Find all our available rights...
+my (%available_rights, %categories);
 if ( blessed($Context) and $Context->can('AvailableRights') ) { 
     %available_rights = %{$Context->AvailableRights};
-else {
+} else {
     %available_rights = ( loc('System Error') => loc("No rights found") );
+# ...and their categories
+if ( blessed($Context) and $Context->can('RightCategories') ) { 
+    my %right_categories = %{$Context->RightCategories};
+    for my $right (keys %available_rights) {
+        push @{$categories{$right_categories{$right}}}, $right;
+    }
+my %category_desc = (
+    'General' => 'General rights',
+    'Staff'   => 'Rights for Staff',
+    'Admin'   => 'Rights for Administrators',
+my %catsort = ( General => 1, Staff => 2, Admin => 3, );
 # Find all the current rights
 my %current_rights;
 for my $collection (map { $_->[1] } @$Principals) {
@@ -101,9 +118,17 @@ for my $category (@$Principals) {
   <div id="<% $id %>">
-    <h3><&|/l&>Rights for</&> <% $loc ? loc($display) : $display %></h3>
+    <h3><% $loc ? loc($display) : $display %></h3>
+    <div class="category-tabs">
+      <ul>
+% for my $category (sort { $catsort{$a} <=> $catsort{$b} } keys %categories) {
+        <li><a href="#<% "$id-$category" %>"><% loc($category_desc{$category} || 'Miscellaneous') %></a></li>
+% }
+      </ul>
+% for my $category (sort { $catsort{$a} <=> $catsort{$b} } keys %categories) {
+    <div id="<% "$id-$category" %>">
     <ul class="rights-list">
-% for my $right (sort keys %available_rights) {
+%     for my $right (sort @{$categories{$category}}) {
         <input type="checkbox" class="checkbox"
                name="SetRights-<% $acldesc %>"
@@ -114,8 +139,11 @@ for my $category (@$Principals) {
           <% loc($available_rights{$right}) %>
-% }
+%     }
+    </div>
+% }
+    </div>
     <input type="hidden" name="CheckACL" value="<% $acldesc %>" />
@@ -127,8 +155,16 @@ if ( $AddPrincipal ) {
   <div id="acl-addprincipal">
     <h3><&|/l&>Add rights for this</&> <% loc($AddPrincipal) %></h3>
+    <div class="category-tabs">
+      <ul>
+% for my $category (sort { $catsort{$a} <=> $catsort{$b} } keys %categories) {
+        <li><a href="#acl-addprincipal-<% $category %>"><% loc($category_desc{$category} || 'Miscellaneous') %></a></li>
+% }
+      </ul>
+% for my $category (sort { $catsort{$a} <=> $catsort{$b} } keys %categories) {
+    <div id="acl-addprincipal-<% $category %>">
     <ul class="rights-list">
-% for my $right (sort keys %available_rights) {
+%     for my $right (sort @{$categories{$category}}) {
         <input type="checkbox" class="checkbox"
                name="SetRights-<% $acldesc %>"
@@ -138,8 +174,11 @@ if ( $AddPrincipal ) {
           <% loc($available_rights{$right}) %>
-% }
+%     }
+    </div>
+% }
+  </div>
 % }
diff --git a/share/html/NoAuth/css/base/rights-editor.css b/share/html/NoAuth/css/base/rights-editor.css
index 82d7a56..5b5c216 100644
--- a/share/html/NoAuth/css/base/rights-editor.css
+++ b/share/html/NoAuth/css/base/rights-editor.css
@@ -7,6 +7,7 @@
 .rights-editor {
     border: none;
     background: transparent;
+    width: 100%;
 /* Position and style the left tabs */
@@ -15,6 +16,7 @@
     background: transparent;
     border: none;
     color: black;
+    width: 25%;
 .rights-editor > .ui-tabs-nav li {
@@ -43,7 +45,8 @@ li.category ~ li.category {
 /* Position the outer-most panel */
 .rights-editor > .ui-tabs-panel {
     position: static;
-    float: right;
+    float: left;
+    width: 72%;
 .rights-editor .ui-tabs-panel {
@@ -57,3 +60,7 @@ li.category ~ li.category {
 .rights-editor ul.rights-list {
     list-style: none;
+.category-tabs {
+    width: 100%;


More information about the Rt-commit mailing list