[Rt-commit] rt branch, 3.9-trunk, updated. rt-3.8.8-767-g3778546

Thomas Sibley trs at bestpractical.com
Wed Sep 15 17:58:36 EDT 2010


The branch, 3.9-trunk has been updated
       via  3778546e289e4f35361a081833aee9296844aac1 (commit)
       via  0b88674086b0ff32dc19ef3d0869cb99ca5257c3 (commit)
      from  8cd64c3a7827f2c84f504bad0b01ad86237bcd7d (commit)

Summary of changes:
 lib/RT/Interface/Web.pm                        |   70 +++++++++++++++++++++++-
 share/html/Admin/CustomFields/GroupRights.html |    2 +-
 share/html/Admin/CustomFields/UserRights.html  |    2 +-
 share/html/Admin/Global/GroupRights.html       |    2 +-
 share/html/Admin/Global/UserRights.html        |    2 +-
 share/html/Admin/Groups/GroupRights.html       |    2 +-
 share/html/Admin/Groups/UserRights.html        |    2 +-
 share/html/Admin/Queues/GroupRights.html       |    2 +-
 share/html/Admin/Queues/UserRights.html        |    2 +-
 9 files changed, 76 insertions(+), 10 deletions(-)

- Log -----------------------------------------------------------------
commit 0b88674086b0ff32dc19ef3d0869cb99ca5257c3
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Wed Sep 15 16:34:19 2010 -0400

    Restore the original behaviour of ProcessACLChanges
    
    This seeks to maintain back compatibility with 3.8, mainly for RTFM and
    existing extensions.  The new version of ProcessACLChanges that this
    reverts will be added back in the next commit as ProcessACLs.
    
    Details:
    
    Partially revert "Update ProcessACLChanges to deal with adding rights to new principals"
    
    This partially reverts commit b70294586642168f126bede4b3e715f55189e74a,
    restoring only RT::Interface::Web::ProcessACLChanges.
    
    Partially revert "ProcessACLChanges now expects values from a series of checkboxes"
    
    This partially reverts commit b9634f3074184c00c22301b9ba720877cc5b02e7,
    restoring RT::Interface::Web::ProcessACLChanges but leaving the
    EditRights component.

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index cdc8634..65da9aa 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1382,61 +1382,25 @@ sub ParseDateToISO {
 
 sub ProcessACLChanges {
     my $ARGSref = shift;
-    my (%state, @results);
 
     #XXX: why don't we get ARGSref like in other Process* subs?
 
-    my $CheckACL = $ARGSref->{'CheckACL'};
-    my @check = grep { defined } (ref $CheckACL eq 'ARRAY' ? @$CheckACL : $CheckACL);
-
-    # Check if we want to grant rights to a previously rights-less user
-    for my $type (qw(user group)) {
-        my $key = "AddPrincipalForRights-$type";
-
-        next unless $ARGSref->{$key};
-
-        my $principal;
-        if ( $type eq 'user' ) {
-            $principal = RT::User->new( $session{'CurrentUser'} );
-            $principal->Load( $ARGSref->{$key} );
-        }
-        else {
-            $principal = RT::Group->new( $session{'CurrentUser'} );
-            $principal->LoadUserDefinedGroup( $ARGSref->{$key} );
-        }
+    my @results;
 
-        unless ($principal->PrincipalId) {
-            push @results, loc("Couldn't load the specified principal");
-            next;
-        }
+    foreach my $arg ( keys %$ARGSref ) {
+        next unless ( $arg =~ /^(GrantRight|RevokeRight)-(\d+)-(.+?)-(\d+)$/ );
 
-        my $principal_id = $principal->PrincipalId;
+        my ( $method, $principal_id, $object_type, $object_id ) = ( $1, $2, $3, $4 );
 
-        # Turn our addprincipal rights spec into a real one
-        for my $arg (keys %$ARGSref) {
-            next unless $arg =~ /^SetRights-addprincipal-(.+?-\d+)$/;
-            $ARGSref->{"SetRights-$principal_id-$1"} = $ARGSref->{$arg};
-            push @check, "$principal_id-$1";
+        my @rights;
+        if ( UNIVERSAL::isa( $ARGSref->{$arg}, 'ARRAY' ) ) {
+            @rights = @{ $ARGSref->{$arg} };
+        } else {
+            @rights = $ARGSref->{$arg};
         }
-    }
-
-    # Build our rights state for each Principal-Object tuple
-    foreach my $arg ( keys %$ARGSref ) {
-        next unless $arg =~ /^SetRights-(\d+-.+?-\d+)$/;
-
-        my $tuple  = $1;
-        my $value  = $ARGSref->{$arg};
-        my @rights = grep { $_ } (ref $value eq 'ARRAY' ? @$value : $value);
+        @rights = grep $_, @rights;
         next unless @rights;
 
-        $state{$tuple} = { map { $_ => 1 } @rights };
-    }
-
-    foreach my $tuple (@check) {
-        next unless $tuple =~ /^(\d+)-(.+?)-(\d+)$/;
-
-        my ( $principal_id, $object_type, $object_id ) = ( $1, $2, $3 );
-
         my $principal = RT::Principal->new( $session{'CurrentUser'} );
         $principal->Load($principal_id);
 
@@ -1456,35 +1420,9 @@ sub ProcessACLChanges {
             next;
         }
 
-        my $acls = RT::ACL->new($session{'CurrentUser'});
-        $acls->LimitToObject( $obj );
-        $acls->LimitToPrincipal( Id => $principal_id );
-
-        while ( my $ace = $acls->Next ) {
-            my $right = $ace->RightName;
-
-            # Has right and should have right
-            next if delete $state{$tuple}->{$right};
-
-            # Has right and shouldn't have right
-            my ($val, $msg) = $principal->RevokeRight( Object => $obj, Right => $right );
-            push @results, $msg;
-        }
-
-        # For everything left, they don't have the right but they should
-        for my $right (keys %{ $state{$tuple} || {} }) {
-            delete $state{$tuple}->{$right};
-            my ($val, $msg) = $principal->GrantRight( Object => $obj, Right => $right );
-            push @results, $msg;
-        }
-
-        # Check our state for leftovers
-        if ( keys %{ $state{$tuple} || {} } ) {
-            my $missed = join '|', %{$state{$tuple} || {}};
-            $RT::Logger->warn(
-               "Uh-oh, it looks like we somehow missed a right in "
-              ."ProcessACLChanges.  Here's what was leftover: $missed"
-            );
+        foreach my $right (@rights) {
+            my ( $val, $msg ) = $principal->$method( Object => $obj, Right => $right );
+            push( @results, $msg );
         }
     }
 

commit 3778546e289e4f35361a081833aee9296844aac1
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Wed Sep 15 17:22:31 2010 -0400

    Add ProcessACLs to handle the new rights editor
    
    This restores the new behaviour the previous commit undid, just
    under a different function name.  Switch all our rights pages to use
    ProcessACLs as well since they use the new tabbed rights editor.

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 65da9aa..19434ee 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1431,6 +1431,134 @@ sub ProcessACLChanges {
 
 # }}}
 
+=head2 ProcessACLs
+
+ProcessACLs expects values from a series of checkboxes that describe the full
+set of rights a principal should have on an object.
+
+It expects form inputs with names like SetRights-PrincipalId-ObjType-ObjId
+instead of with the prefixes Grant/RevokeRight.  Each input should be an array
+listing the rights the principal should have, and ProcessACLs will modify the
+current rights to match.  Additionally, the previously unused CheckACL input
+listing PrincipalId-ObjType-ObjId is now used to catch cases when all the
+rights are removed from a principal and as such no SetRights input is
+submitted.
+
+=cut
+
+sub ProcessACLs {
+    my $ARGSref = shift;
+    my (%state, @results);
+
+    #XXX: why don't we get ARGSref like in other Process* subs?
+
+    my $CheckACL = $ARGSref->{'CheckACL'};
+    my @check = grep { defined } (ref $CheckACL eq 'ARRAY' ? @$CheckACL : $CheckACL);
+
+    # Check if we want to grant rights to a previously rights-less user
+    for my $type (qw(user group)) {
+        my $key = "AddPrincipalForRights-$type";
+
+        next unless $ARGSref->{$key};
+
+        my $principal;
+        if ( $type eq 'user' ) {
+            $principal = RT::User->new( $session{'CurrentUser'} );
+            $principal->Load( $ARGSref->{$key} );
+        }
+        else {
+            $principal = RT::Group->new( $session{'CurrentUser'} );
+            $principal->LoadUserDefinedGroup( $ARGSref->{$key} );
+        }
+
+        unless ($principal->PrincipalId) {
+            push @results, loc("Couldn't load the specified principal");
+            next;
+        }
+
+        my $principal_id = $principal->PrincipalId;
+
+        # Turn our addprincipal rights spec into a real one
+        for my $arg (keys %$ARGSref) {
+            next unless $arg =~ /^SetRights-addprincipal-(.+?-\d+)$/;
+            $ARGSref->{"SetRights-$principal_id-$1"} = $ARGSref->{$arg};
+            push @check, "$principal_id-$1";
+        }
+    }
+
+    # Build our rights state for each Principal-Object tuple
+    foreach my $arg ( keys %$ARGSref ) {
+        next unless $arg =~ /^SetRights-(\d+-.+?-\d+)$/;
+
+        my $tuple  = $1;
+        my $value  = $ARGSref->{$arg};
+        my @rights = grep { $_ } (ref $value eq 'ARRAY' ? @$value : $value);
+        next unless @rights;
+
+        $state{$tuple} = { map { $_ => 1 } @rights };
+    }
+
+    foreach my $tuple (@check) {
+        next unless $tuple =~ /^(\d+)-(.+?)-(\d+)$/;
+
+        my ( $principal_id, $object_type, $object_id ) = ( $1, $2, $3 );
+
+        my $principal = RT::Principal->new( $session{'CurrentUser'} );
+        $principal->Load($principal_id);
+
+        my $obj;
+        if ( $object_type eq 'RT::System' ) {
+            $obj = $RT::System;
+        } elsif ( $RT::ACE::OBJECT_TYPES{$object_type} ) {
+            $obj = $object_type->new( $session{'CurrentUser'} );
+            $obj->Load($object_id);
+            unless ( $obj->id ) {
+                $RT::Logger->error("couldn't load $object_type #$object_id");
+                next;
+            }
+        } else {
+            $RT::Logger->error("object type '$object_type' is incorrect");
+            push( @results, loc("System Error") . ': ' . loc( "Rights could not be granted for [_1]", $object_type ) );
+            next;
+        }
+
+        my $acls = RT::ACL->new($session{'CurrentUser'});
+        $acls->LimitToObject( $obj );
+        $acls->LimitToPrincipal( Id => $principal_id );
+
+        while ( my $ace = $acls->Next ) {
+            my $right = $ace->RightName;
+
+            # Has right and should have right
+            next if delete $state{$tuple}->{$right};
+
+            # Has right and shouldn't have right
+            my ($val, $msg) = $principal->RevokeRight( Object => $obj, Right => $right );
+            push @results, $msg;
+        }
+
+        # For everything left, they don't have the right but they should
+        for my $right (keys %{ $state{$tuple} || {} }) {
+            delete $state{$tuple}->{$right};
+            my ($val, $msg) = $principal->GrantRight( Object => $obj, Right => $right );
+            push @results, $msg;
+        }
+
+        # Check our state for leftovers
+        if ( keys %{ $state{$tuple} || {} } ) {
+            my $missed = join '|', %{$state{$tuple} || {}};
+            $RT::Logger->warn(
+               "Uh-oh, it looks like we somehow missed a right in "
+              ."ProcessACLs.  Here's what was leftover: $missed"
+            );
+        }
+    }
+
+    return (@results);
+}
+
+
+
 # {{{ sub UpdateRecordObj
 
 =head2 UpdateRecordObj ( ARGSRef => \%ARGS, Object => RT::Record, AttributesRef => \@attribs)
diff --git a/share/html/Admin/CustomFields/GroupRights.html b/share/html/Admin/CustomFields/GroupRights.html
index 0a31ea7..f3955ae 100644
--- a/share/html/Admin/CustomFields/GroupRights.html
+++ b/share/html/Admin/CustomFields/GroupRights.html
@@ -69,7 +69,7 @@ if (!defined $id) {
 my $CustomFieldObj = RT::CustomField->new($session{'CurrentUser'});
 $CustomFieldObj->Load($id) || $m->comp("/Elements/Error", Why => loc("Couldn't load CustomField [_1]",$id));
 
-my @results = ProcessACLChanges( \%ARGS );
+my @results = ProcessACLs( \%ARGS );
 
 my $title = loc('Modify group rights for custom field [_1]', $CustomFieldObj->Name);
 
diff --git a/share/html/Admin/CustomFields/UserRights.html b/share/html/Admin/CustomFields/UserRights.html
index b2c9d67..15b2a48 100644
--- a/share/html/Admin/CustomFields/UserRights.html
+++ b/share/html/Admin/CustomFields/UserRights.html
@@ -58,7 +58,7 @@ Title => $title, &>
   </form>
 <%INIT>
 # Update the acls.
-my @results = ProcessACLChanges( \%ARGS );
+my @results = ProcessACLs( \%ARGS );
 
 if (!defined $id) {
     $m->comp("/Elements/Error", Why => loc("No Class defined"));
diff --git a/share/html/Admin/Global/GroupRights.html b/share/html/Admin/Global/GroupRights.html
index 31941e9..f59f181 100755
--- a/share/html/Admin/Global/GroupRights.html
+++ b/share/html/Admin/Global/GroupRights.html
@@ -58,7 +58,7 @@
   
 <%INIT>
 # Update the acls.
-my @results = ProcessACLChanges(\%ARGS);
+my @results = ProcessACLs(\%ARGS);
 
 # Principal collections
 my @principals = GetPrincipalsMap($RT::System, qw(System Roles Groups));
diff --git a/share/html/Admin/Global/UserRights.html b/share/html/Admin/Global/UserRights.html
index ac2a42c..dce2141 100755
--- a/share/html/Admin/Global/UserRights.html
+++ b/share/html/Admin/Global/UserRights.html
@@ -57,6 +57,6 @@
 </form>
 <%INIT>
 # Update the acls.
-my @results = ProcessACLChanges(\%ARGS);
+my @results = ProcessACLs(\%ARGS);
 my @principals = GetPrincipalsMap($RT::System, 'Users');
 </%INIT>
diff --git a/share/html/Admin/Groups/GroupRights.html b/share/html/Admin/Groups/GroupRights.html
index 68382e9..830c6c3 100755
--- a/share/html/Admin/Groups/GroupRights.html
+++ b/share/html/Admin/Groups/GroupRights.html
@@ -59,7 +59,7 @@
   </form>
 <%INIT>
 # Update the acls.
-my @results = ProcessACLChanges(\%ARGS);
+my @results = ProcessACLs(\%ARGS);
 
 if (!defined $id) {
     Abort(loc("No Group defined"));
diff --git a/share/html/Admin/Groups/UserRights.html b/share/html/Admin/Groups/UserRights.html
index 31dae23..ec2432b 100755
--- a/share/html/Admin/Groups/UserRights.html
+++ b/share/html/Admin/Groups/UserRights.html
@@ -60,7 +60,7 @@
 
 <%INIT>
 # Update the acls.
-my @results = ProcessACLChanges(\%ARGS);
+my @results = ProcessACLs(\%ARGS);
 
 if (!defined $id) {
     Abort(loc("No Group defined"));
diff --git a/share/html/Admin/Queues/GroupRights.html b/share/html/Admin/Queues/GroupRights.html
index 4daa61d..0b79649 100755
--- a/share/html/Admin/Queues/GroupRights.html
+++ b/share/html/Admin/Queues/GroupRights.html
@@ -64,7 +64,7 @@
 
 <%INIT>
 # Update the acls.
-my @results = ProcessACLChanges(\%ARGS);
+my @results = ProcessACLs(\%ARGS);
 
 if (!defined $id) {
     Abort(loc("No Queue defined"));
diff --git a/share/html/Admin/Queues/UserRights.html b/share/html/Admin/Queues/UserRights.html
index 75c3f9a..e1f2ea9 100755
--- a/share/html/Admin/Queues/UserRights.html
+++ b/share/html/Admin/Queues/UserRights.html
@@ -66,7 +66,7 @@
 
 <%INIT>
 # Update the acls.
-my @results =  ProcessACLChanges(\%ARGS);
+my @results =  ProcessACLs(\%ARGS);
 
 if (!defined $id) {
     Abort(loc("No Queue defined"));

-----------------------------------------------------------------------


More information about the Rt-commit mailing list