[Rt-commit] rt branch, 4.2/sql-acl-for-queues, created. rt-4.0.8-575-gfaff527
Ruslan Zakirov
ruz at bestpractical.com
Sat Nov 24 18:32:36 EST 2012
The branch, 4.2/sql-acl-for-queues has been created
at faff527348f94a7d6e99623f9722965e22c5a767 (commit)
- Log -----------------------------------------------------------------
commit b1a2c16a0df985244a5fe9cbb387e6a0d3c3ca29
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Fri Dec 10 09:02:54 2010 +0300
JoinRoleGroups for collections method
diff --git a/lib/RT/SearchBuilder.pm b/lib/RT/SearchBuilder.pm
index 47c09a6..7e6f00c 100644
--- a/lib/RT/SearchBuilder.pm
+++ b/lib/RT/SearchBuilder.pm
@@ -370,6 +370,58 @@ sub ColumnMapClassName {
return $Class;
+sub JoinRoleGroups {
+ my $self = shift;
+ my %args = (
+ New => 0,
+ Left => 0,
+ Alias => 'main',
+ Field => 'id',
+ Class => undef,
+ Type => '',
+ @_
+ );
+ unless ( $args{'Class'} ) {
+ $args{'Class'} = ref $self;
+ $args{'Class'} =~ s/s$//;
+ }
+ unless ( $args{'New'} ) {
+ return $self->{'_sql_aliases'}{'role_groups'}{ join '-', @args{qw(Alias Field Class Type)} }
+ if $self->{'_sql_aliases'}{'role_groups'}{ join '-', @args{qw(Alias Field Class Type)} }
+ }
+ # we always have watcher groups, so we're safe to use INNER join,
+ # but we would love to see groups on demand, so make it possible
+ my $groups = $self->Join(
+ $args{'Left'}? (TYPE => 'LEFT') : (),
+ ALIAS1 => $args{'Alias'},
+ FIELD1 => $args{'Field'},
+ TABLE2 => 'Groups',
+ FIELD2 => 'Instance',
+ );
+ my $limit = 'Limit';
+ # special case for tickets :(
+ $limit = '_SQLLimit' if $self->isa('RT::Tickets');
+ $self->$limit(
+ LEFTJOIN => $groups,
+ ALIAS => $groups,
+ FIELD => 'Domain',
+ VALUE => $args{'Class'} .'-Role',
+ );
+ $self->$limit(
+ LEFTJOIN => $groups,
+ ALIAS => $groups,
+ FIELD => 'Type',
+ VALUE => $args{'Type'},
+ ) if $args{'Type'};
+ $self->{'_sql_aliases'}{'role_groups'}{ join '-', @args{qw(Alias Field Class Type)} } = $groups
+ unless $args{'New'};
+ return $groups;
commit 6c536420be8fe4d80807f766ff052f9c3230b57c
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Fri Dec 10 09:03:58 2010 +0300
_RolesWithRight and _ObjectsDirectlyHasRightOn private class methods in RT::ACL
diff --git a/lib/RT/ACL.pm b/lib/RT/ACL.pm
index 49a7f1d..9f24b5c 100644
--- a/lib/RT/ACL.pm
+++ b/lib/RT/ACL.pm
@@ -334,4 +334,100 @@ sub NewItem {
+sub _RolesWithRight {
+ my $self = shift;
+ my %args = (
+ Right => undef,
+ @_
+ );
+ my $right = $args{'Right'} or return ();
+ my $cache_key = 'RolesWithRight;:;'. $right;
+ if ( my $cached = $RT::Principal::_ACL_CACHE->fetch( $cache_key ) ) {
+ return %$cached;
+ }
+ my $ACL = RT::ACL->new( RT->SystemUser );
+ $ACL->Limit( FIELD => 'RightName', VALUE => $right );
+ $ACL->Limit( FIELD => 'PrincipalType', OPERATOR => '!=', VALUE => 'Group' );
+ my $principal_alias = $ACL->Join(
+ ALIAS1 => 'main',
+ FIELD1 => 'PrincipalId',
+ TABLE2 => 'Principals',
+ FIELD2 => 'id',
+ );
+ $ACL->Limit( ALIAS => $principal_alias, FIELD => 'Disabled', VALUE => 0 );
+ my $query = 'SELECT main.PrincipalType, main.ObjectType, main.ObjectId'
+ .' FROM '. $ACL->_BuildJoins .' '. $ACL->_WhereClause;
+ my %res = ();
+ foreach my $row ( @{ $RT::Handle->SimpleQuery($query)->fetchall_arrayref } ) {
+ my ($role, $type, $id) = @$row;
+ if ( $type eq 'RT::System' ) {
+ $res{ $role } = { 'RT::System' => 1 };
+ }
+ else {
+ next if $res{ $role }{'RT::System'};
+ push @{ $res{ $role }{ $type } ||= [] }, $id;
+ }
+ }
+ $RT::Principal::_ACL_CACHE->set( $cache_key => \%res );
+ return %res;
+sub _ObjectsDirectlyHasRightOn {
+ my $self = shift;
+ my %args = (
+ Right => undef,
+ User => undef,
+ @_
+ );
+ my $right = $args{'Right'} or return ();
+ my $id = $args{'User'} || $self->CurrentUser->id;
+ my $cache_key = 'User-'. $id .';:;'. $right .';:;ObjectsDirectlyHasRightOn';
+ if ( my $cached = $RT::Principal::_ACL_CACHE->fetch( $cache_key ) ) {
+ return %$cached;
+ }
+ my $ACL = RT::ACL->new( RT->SystemUser );
+ $ACL->Limit( FIELD => 'RightName', VALUE => $right );
+ my $principal_alias = $ACL->Join(
+ ALIAS1 => 'main',
+ FIELD1 => 'PrincipalId',
+ TABLE2 => 'Principals',
+ FIELD2 => 'id',
+ );
+ $ACL->Limit( ALIAS => $principal_alias, FIELD => 'Disabled', VALUE => 0 );
+ my $cgm_alias = $ACL->Join(
+ ALIAS1 => 'main',
+ FIELD1 => 'PrincipalId',
+ TABLE2 => 'CachedGroupMembers',
+ FIELD2 => 'GroupId',
+ );
+ $ACL->Limit( ALIAS => $cgm_alias, FIELD => 'MemberId', VALUE => $id );
+ $ACL->Limit( ALIAS => $cgm_alias, FIELD => 'Disabled', VALUE => 0 );
+ my $query = 'SELECT main.ObjectType, main.ObjectId'
+ .' FROM '. $ACL->_BuildJoins .' '. $ACL->_WhereClause;
+ my %res = ();
+ foreach my $row ( @{ $RT::Handle->SimpleQuery($query)->fetchall_arrayref } ) {
+ my ($type, $id) = @$row;
+ if ( $type eq 'RT::System' ) {
+ # If user is direct member of a group that has the right
+ # on the system then he has this right on any object
+ %res = ('RT::System' => 1);
+ }
+ else {
+ push @{ $res{$type} ||= [] }, $id;
+ }
+ }
+ $RT::Principal::_ACL_CACHE->set( $cache_key => \%res );
+ return %res;
commit 3d8d2ce0ccaa807316cdefad07c5b8c75abb3272
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Fri Dec 10 09:06:12 2010 +0300
make it possible to override subclause
RT::Tickets has so bad overrides for Limit that
we have to use _SQLLimit, but it hardcodes
Let's default subclause and respect provided.
SUBLCAUSE doesn't work together with LEFTJOIN
diff --git a/lib/RT/Tickets_SQL.pm b/lib/RT/Tickets_SQL.pm
index ec1bb49..5c9549e 100644
--- a/lib/RT/Tickets_SQL.pm
+++ b/lib/RT/Tickets_SQL.pm
@@ -87,11 +87,11 @@ sub _SQLLimit {
(!$args{'ALIAS'} || $args{'ALIAS'} eq 'main' ) ) {
$self->{'looking_at_type'} = 1;
+ $args{'SUBCLAUSE'} ||= 'ticketsql' unless $args{'LEFTJOIN'};
# All SQL stuff goes into one SB subclause so we can deal with all
# the aggregation
- $self->SUPER::Limit(%args,
- SUBCLAUSE => 'ticketsql');
+ $self->SUPER::Limit( %args );
sub _SQLJoin {
commit 858be60f89a2dc5405ff5d214fabe8e8dab0937a
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Fri Dec 10 09:08:32 2010 +0300
switch RT::Tickets over JoinRoleGroups
diff --git a/lib/RT/Tickets.pm b/lib/RT/Tickets.pm
index 580a66f..820b28a 100644
--- a/lib/RT/Tickets.pm
+++ b/lib/RT/Tickets.pm
@@ -259,7 +259,6 @@ sub CleanSlate {
- _sql_role_group_aliases
@@ -1049,36 +1048,16 @@ sub _WatcherLimit {
sub _RoleGroupsJoin {
my $self = shift;
- my %args = (New => 0, Class => 'Ticket', Type => '', @_);
- return $self->{'_sql_role_group_aliases'}{ $args{'Class'} .'-'. $args{'Type'} }
- if $self->{'_sql_role_group_aliases'}{ $args{'Class'} .'-'. $args{'Type'} }
- && !$args{'New'};
- # we always have watcher groups for ticket, so we use INNER join
- my $groups = $self->Join(
- ALIAS1 => 'main',
- FIELD1 => $args{'Class'} eq 'Queue'? 'Queue': 'id',
- TABLE2 => 'Groups',
- FIELD2 => 'Instance',
- );
- $self->SUPER::Limit(
- LEFTJOIN => $groups,
- ALIAS => $groups,
- FIELD => 'Domain',
- VALUE => 'RT::'. $args{'Class'} .'-Role',
- );
- $self->SUPER::Limit(
- LEFTJOIN => $groups,
- ALIAS => $groups,
- FIELD => 'Type',
- VALUE => $args{'Type'},
- ) if $args{'Type'};
- $self->{'_sql_role_group_aliases'}{ $args{'Class'} .'-'. $args{'Type'} } = $groups
- unless $args{'New'};
- return $groups;
+ my %args = (Class => 'RT::Ticket', @_);
+ if ( $args{'Class'} eq 'Queue' ) {
+ $args{'Class'} = 'RT::Queue';
+ $args{'Field'} = 'Queue';
+ }
+ elsif ( $args{'Class'} eq 'Ticket' ) {
+ $args{'Class'} = 'RT::Ticket';
+ $args{'Field'} = 'id';
+ }
+ return $self->JoinRoleGroups( %args );
sub _GroupMembersJoin {
commit f46fbe4c5ef8dd8d92e4c32ce772c64cb64a5db0
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Fri Dec 10 09:09:54 2010 +0300
use Queue IN (1,2,3,...) instead long OR sequences
diff --git a/lib/RT/Tickets.pm b/lib/RT/Tickets.pm
index 820b28a..12564ff 100644
--- a/lib/RT/Tickets.pm
+++ b/lib/RT/Tickets.pm
@@ -3176,29 +3176,16 @@ sub CurrentUserCanSee {
my $ea = shift;
my @queues = @_;
- return unless @queues;
- if ( @queues == 1 ) {
- $self->SUPER::Limit(
- ALIAS => 'main',
- FIELD => 'Queue',
- VALUE => $_[0],
- );
- } else {
- $self->SUPER::_OpenParen('ACL');
- foreach my $q ( @queues ) {
- $self->SUPER::Limit(
- ALIAS => 'main',
- FIELD => 'Queue',
- VALUE => $q,
- );
- $ea = 'OR';
- }
- $self->SUPER::_CloseParen('ACL');
- }
+ return 0 unless @queues;
+ $self->SUPER::Limit(
+ ALIAS => 'main',
+ FIELD => 'Queue',
+ VALUE => '('. join(', ', @queues) .')',
+ );
return 1;
commit 44741fb53b9cd6cdb3972d3a5d0f8a63a78bbce0
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Fri Dec 10 09:11:04 2010 +0300
switch over generic methods we have in RT::ACL
diff --git a/lib/RT/Tickets.pm b/lib/RT/Tickets.pm
index 12564ff..1575f9d 100644
--- a/lib/RT/Tickets.pm
+++ b/lib/RT/Tickets.pm
@@ -2998,92 +2998,6 @@ sub _DoCount {
return $self->SUPER::_DoCount( @_ );
-sub _RolesCanSee {
- my $self = shift;
- my $cache_key = 'RolesHasRight;:;ShowTicket';
- if ( my $cached = $RT::Principal::_ACL_CACHE->fetch( $cache_key ) ) {
- return %$cached;
- }
- my $ACL = RT::ACL->new( RT->SystemUser );
- $ACL->Limit( FIELD => 'RightName', VALUE => 'ShowTicket' );
- $ACL->Limit( FIELD => 'PrincipalType', OPERATOR => '!=', VALUE => 'Group' );
- my $principal_alias = $ACL->Join(
- ALIAS1 => 'main',
- FIELD1 => 'PrincipalId',
- TABLE2 => 'Principals',
- FIELD2 => 'id',
- );
- $ACL->Limit( ALIAS => $principal_alias, FIELD => 'Disabled', VALUE => 0 );
- my %res = ();
- foreach my $ACE ( @{ $ACL->ItemsArrayRef } ) {
- my $role = $ACE->__Value('PrincipalType');
- my $type = $ACE->__Value('ObjectType');
- if ( $type eq 'RT::System' ) {
- $res{ $role } = 1;
- }
- elsif ( $type eq 'RT::Queue' ) {
- next if $res{ $role } && !ref $res{ $role };
- push @{ $res{ $role } ||= [] }, $ACE->__Value('ObjectId');
- }
- else {
- $RT::Logger->error('ShowTicket right is granted on unsupported object');
- }
- }
- $RT::Principal::_ACL_CACHE->set( $cache_key => \%res );
- return %res;
-sub _DirectlyCanSeeIn {
- my $self = shift;
- my $id = $self->CurrentUser->id;
- my $cache_key = 'User-'. $id .';:;ShowTicket;:;DirectlyCanSeeIn';
- if ( my $cached = $RT::Principal::_ACL_CACHE->fetch( $cache_key ) ) {
- return @$cached;
- }
- my $ACL = RT::ACL->new( RT->SystemUser );
- $ACL->Limit( FIELD => 'RightName', VALUE => 'ShowTicket' );
- my $principal_alias = $ACL->Join(
- ALIAS1 => 'main',
- FIELD1 => 'PrincipalId',
- TABLE2 => 'Principals',
- FIELD2 => 'id',
- );
- $ACL->Limit( ALIAS => $principal_alias, FIELD => 'Disabled', VALUE => 0 );
- my $cgm_alias = $ACL->Join(
- ALIAS1 => 'main',
- FIELD1 => 'PrincipalId',
- TABLE2 => 'CachedGroupMembers',
- FIELD2 => 'GroupId',
- );
- $ACL->Limit( ALIAS => $cgm_alias, FIELD => 'MemberId', VALUE => $id );
- $ACL->Limit( ALIAS => $cgm_alias, FIELD => 'Disabled', VALUE => 0 );
- my @res = ();
- foreach my $ACE ( @{ $ACL->ItemsArrayRef } ) {
- my $type = $ACE->__Value('ObjectType');
- if ( $type eq 'RT::System' ) {
- # If user is direct member of a group that has the right
- # on the system then he can see any ticket
- $RT::Principal::_ACL_CACHE->set( $cache_key => [-1] );
- return (-1);
- }
- elsif ( $type eq 'RT::Queue' ) {
- push @res, $ACE->__Value('ObjectId');
- }
- else {
- $RT::Logger->error('ShowTicket right is granted on unsupported object');
- }
- }
- $RT::Principal::_ACL_CACHE->set( $cache_key => \@res );
- return @res;
sub CurrentUserCanSee {
my $self = shift;
return if $self->{'_sql_current_user_can_see_applied'};
@@ -3096,21 +3010,30 @@ sub CurrentUserCanSee {
my $id = $self->CurrentUser->id;
# directly can see in all queues then we have nothing to do
- my @direct_queues = $self->_DirectlyCanSeeIn;
+ my %direct = RT::ACL->_ObjectsDirectlyHasRightOn(
+ User => $id,
+ Right => 'ShowTicket',
+ );
return $self->{'_sql_current_user_can_see_applied'} = 1
- if @direct_queues && $direct_queues[0] == -1;
+ if $direct{'RT::System'};
+ # from this point we only interested in queues
+ %direct = ('RT::Queue' => $direct{'RT::Queue'} || []);
+ my %roles = RT::ACL->_RolesWithRight( Right => 'ShowTicket' );
- my %roles = $self->_RolesCanSee;
- my %skip = map { $_ => 1 } @direct_queues;
+ my %skip = map { $_ => 1 } @{ $direct{'RT::Queue'} };
foreach my $role ( keys %roles ) {
- next unless ref $roles{ $role };
- my @queues = grep !$skip{$_}, @{ $roles{ $role } };
- if ( @queues ) {
- $roles{ $role } = \@queues;
+ if ( $roles{ $role }{'RT::System'} ) {
+ $roles{ $role } = 1;
} else {
- delete $roles{ $role };
+ my @queues = grep !$skip{$_}, @{ $roles{ $role }{'RT::Queue'} || [] };
+ if ( @queues ) {
+ $roles{ $role } = \@queues;
+ } else {
+ delete $roles{ $role };
+ }
@@ -3143,11 +3066,11 @@ sub CurrentUserCanSee {
$groups->Limit( ALIAS => $cgm_alias, FIELD => 'MemberId', VALUE => $id );
$groups->Limit( ALIAS => $cgm_alias, FIELD => 'Disabled', VALUE => 0 );
while ( my $group = $groups->Next ) {
- push @direct_queues, $group->Instance;
+ push @{ $direct{'RT::Queue'} }, $group->Instance;
- unless ( @direct_queues || keys %roles ) {
+ unless ( @{ $direct{'RT::Queue'} } || keys %roles ) {
ALIAS => 'main',
@@ -3191,7 +3114,7 @@ sub CurrentUserCanSee {
my $ea = 'AND';
- $ea = 'OR' if $limit_queues->( $ea, @direct_queues );
+ $ea = 'OR' if $limit_queues->( $ea, @{ $direct{'RT::Queue'} } );
while ( my ($role, $queues) = each %roles ) {
if ( $role eq 'Owner' ) {
commit 785f27e4dc92e19f6f21e0425efc2833ac556327
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Sat Dec 11 06:04:29 2010 +0300
JoinGroupMembers in RT::SearchBuilder
diff --git a/lib/RT/SearchBuilder.pm b/lib/RT/SearchBuilder.pm
index 7e6f00c..9df9dc1 100644
--- a/lib/RT/SearchBuilder.pm
+++ b/lib/RT/SearchBuilder.pm
@@ -422,6 +422,41 @@ sub JoinRoleGroups {
return $groups;
+sub JoinGroupMembers {
+ my $self = shift;
+ my %args = (New => 1, GroupsAlias => undef, ActiveOnly => 1, Left => 1, @_);
+ my $key = join '_', $args{'ActiveOnly'}? ('active'): (),
+ 'group_members', $args{'GroupsAlias'};
+ return $self->{'_sql_aliases'}{ $key }
+ if $self->{'_sql_aliases'}{ $key } && !$args{'New'};
+ my $alias = $self->Join(
+ $args{'Left'} ? (TYPE => 'LEFT') : (),
+ ALIAS1 => $args{'GroupsAlias'},
+ FIELD1 => 'id',
+ TABLE2 => 'CachedGroupMembers',
+ FIELD2 => 'GroupId',
+ );
+ if ( $args{'ActiveOnly'} ) {
+ my $limit = 'Limit';
+ # special case for tickets :(
+ $limit = '_SQLLimit' if $self->isa('RT::Tickets');
+ $self->$limit(
+ $args{'Left'} ? (LEFTJOIN => $alias) : (),
+ ALIAS => $alias,
+ FIELD => 'Disabled',
+ VALUE => 0,
+ );
+ }
+ $self->{'_sql_aliases'}{ $key } = $alias unless $args{'New'};
+ return $alias;
diff --git a/lib/RT/Tickets.pm b/lib/RT/Tickets.pm
index 1575f9d..d3f41c5 100644
--- a/lib/RT/Tickets.pm
+++ b/lib/RT/Tickets.pm
@@ -257,7 +257,6 @@ sub CleanSlate {
$self->SUPER::CleanSlate( @_ );
delete $self->{$_} foreach qw(
- _sql_group_members_aliases
@@ -1061,32 +1060,7 @@ sub _RoleGroupsJoin {
sub _GroupMembersJoin {
- my $self = shift;
- my %args = (New => 1, GroupsAlias => undef, Left => 1, @_);
- return $self->{'_sql_group_members_aliases'}{ $args{'GroupsAlias'} }
- if $self->{'_sql_group_members_aliases'}{ $args{'GroupsAlias'} }
- && !$args{'New'};
- my $alias = $self->Join(
- $args{'Left'} ? (TYPE => 'LEFT') : (),
- ALIAS1 => $args{'GroupsAlias'},
- FIELD1 => 'id',
- TABLE2 => 'CachedGroupMembers',
- FIELD2 => 'GroupId',
- );
- $self->SUPER::Limit(
- $args{'Left'} ? (LEFTJOIN => $alias) : (),
- ALIAS => $alias,
- FIELD => 'Disabled',
- VALUE => 0,
- );
- $self->{'_sql_group_members_aliases'}{ $args{'GroupsAlias'} } = $alias
- unless $args{'New'};
- return $alias;
+ return (shift)->JoinGroupMembers( @_ );
=head2 _WatcherJoin
commit faff527348f94a7d6e99623f9722965e22c5a767
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Sat Dec 11 06:12:24 2010 +0300
UseSQLForACLChecks for RT::Queues
diff --git a/lib/RT/Queues.pm b/lib/RT/Queues.pm
index feb3491..24ec586 100644
--- a/lib/RT/Queues.pm
+++ b/lib/RT/Queues.pm
@@ -107,12 +107,135 @@ This is used for filtering objects for both Next and ItemsArrayRef.
sub AddRecord {
my $self = shift;
my $Queue = shift;
- return unless $Queue->CurrentUserHasRight('SeeQueue');
+ return if !$self->{'_sql_current_user_can_see_applied'}
+ && !$Queue->CurrentUserHasRight('SeeQueue');
push @{$self->{'items'}}, $Queue;
+sub _DoSearch {
+ my $self = shift;
+ $self->CurrentUserCanSee if RT->Config->Get('UseSQLForACLChecks');
+ return $self->SUPER::_DoSearch( @_ );
+sub _DoCount {
+ my $self = shift;
+ $self->CurrentUserCanSee if RT->Config->Get('UseSQLForACLChecks');
+ return $self->SUPER::_DoCount( @_ );
+sub CurrentUserCanSee {
+ my $self = shift;
+ return if $self->{'_sql_current_user_can_see_applied'};
+ return $self->{'_sql_current_user_can_see_applied'} = 1
+ if $self->CurrentUser->UserObj->HasRight(
+ Right => 'SuperUser', Object => $RT::System
+ );
+ my $id = $self->CurrentUser->id;
+ # directly can see in all queues then we have nothing to do
+ my %direct = RT::ACL->_ObjectsDirectlyHasRightOn(
+ User => $id,
+ Right => 'SeeQueue',
+ );
+ return $self->{'_sql_current_user_can_see_applied'} = 1
+ if $direct{'RT::System'};
+ # from this point we only interested in queues
+ %direct = ('RT::Queue' => $direct{'RT::Queue'} || []);
+ my %roles = RT::ACL->_RolesWithRight( Right => 'SeeQueue' );
+ {
+ my %skip = map { $_ => 1 } @{ $direct{'RT::Queue'} };
+ foreach my $role ( keys %roles ) {
+ if ( $roles{ $role }{'RT::System'} ) {
+ $roles{ $role } = 1;
+ } else {
+ my @queues = grep !$skip{$_}, @{ $roles{ $role }{'RT::Queue'} || [] };
+ if ( @queues ) {
+ $roles{ $role } = \@queues;
+ } else {
+ delete $roles{ $role };
+ }
+ }
+ }
+ }
+ unless ( @{$direct{'RT::Queue'}} || keys %roles ) {
+ $self->SUPER::Limit(
+ ALIAS => 'main',
+ FIELD => 'id',
+ VALUE => 0,
+ );
+ return $self->{'_sql_current_user_can_see_applied'} = 1;
+ }
+ {
+ my ($role_group_alias, $cgm_alias);
+ if ( keys %roles ) {
+ $role_group_alias = $self->JoinRoleGroups( New => 1 );
+ $cgm_alias = $self->JoinGroupMembers( GroupsAlias => $role_group_alias );
+ $self->Limit(
+ LEFTJOIN => $cgm_alias,
+ FIELD => 'MemberId',
+ OPERATOR => '=',
+ VALUE => $id,
+ );
+ }
+ my $limit_queues = sub {
+ my $ea = shift;
+ my @queues = @_;
+ return 0 unless @queues;
+ $self->Limit(
+ ALIAS => 'main',
+ FIELD => 'id',
+ VALUE => '('. join(', ', @queues) .')',
+ );
+ return 1;
+ };
+ $self->SUPER::_OpenParen('ACL');
+ my $ea = 'AND';
+ $ea = 'OR' if $limit_queues->( $ea, @{ $direct{'RT::Queue'} } );
+ while ( my ($role, $queues) = each %roles ) {
+ $self->SUPER::_OpenParen('ACL');
+ $self->Limit(
+ ALIAS => $cgm_alias,
+ FIELD => 'MemberId',
+ VALUE => 'NULL',
+ );
+ $self->Limit(
+ ALIAS => $role_group_alias,
+ FIELD => 'Type',
+ VALUE => $role,
+ );
+ $limit_queues->( 'AND', @$queues ) if ref $queues;
+ $ea = 'OR' if $ea eq 'AND';
+ $self->SUPER::_CloseParen('ACL');
+ }
+ $self->SUPER::_CloseParen('ACL');
+ }
+ return $self->{'_sql_current_user_can_see_applied'} = 1;
More information about the Rt-commit
mailing list