[Rt-commit] rt branch, 4.2/cf-limits-with-role-rights, created. rt-4.1.19-27-ga4c8bfa

Alex Vandiver alexmv at bestpractical.com
Mon Aug 26 12:22:33 EDT 2013


The branch, 4.2/cf-limits-with-role-rights has been created
        at  a4c8bfa4cbbe1744f79bcb5fa9c78da83733648c (commit)

- Log -----------------------------------------------------------------
commit 717c30d34d03e0779896597a279b8773701786b1
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Tue Aug 20 20:47:43 2013 -0400

    Switch two locations which call ->Type directly to examining $type

diff --git a/lib/RT/SearchBuilder.pm b/lib/RT/SearchBuilder.pm
index 94f299a..251bcd0 100644
--- a/lib/RT/SearchBuilder.pm
+++ b/lib/RT/SearchBuilder.pm
@@ -602,7 +602,7 @@ sub _LimitCustomField {
             $date->Set( Format => 'unknown', Value => $value );
             if ( $date->Unix ) {
                 if (
-                       $cf->Type eq 'Date'
+                       $type eq 'Date'
                            # Heuristics to determine if a date, and not
                            # a datetime, was entered:
                     || $value =~ /^\s*(?:today|tomorrow|yesterday)\s*$/i
@@ -619,7 +619,7 @@ sub _LimitCustomField {
             }
 
             # Recurse if day equality is being checked on a datetime
-            if ( $cf->Type eq 'DateTime' and $op eq '=' && $value !~ /:/ ) {
+            if ( $type eq 'DateTime' and $op eq '=' && $value !~ /:/ ) {
                 my $date = RT::Date->new( $self->CurrentUser );
                 $date->Set( Format => 'unknown', Value => $value );
                 my $daystart = $date->ISO;

commit a4c8bfa4cbbe1744f79bcb5fa9c78da83733648c
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Tue Aug 20 20:22:50 2013 -0400

    Avoid warnings and build better queries on CF limits with role rights
    
    It is possible to create limits on custom fields which you don't have
    global rights on, only role rights (via a queue, for instance).  Due to
    the lack of context object when loading CFs in a search context (as
    there is no clear queue/ticket to use), a simple ->Load returns an
    object which the current user has no rights on.  This causes warnings
    when attempting to inspect properties of the CF to determine how to
    build the query.
    
    As $cf never escapes beyond _LimitCustomField and _CustomFieldJoin, and
    is only used to better be able to build optimal queries, simply load as
    the system user.  This does not impact the results returned, but merely
    allows more optimal queries to be generated.
    
    The other possibility would be to switch to calling ->__Value() for all
    accesses, to skip access control.  However, this is complicated by calls
    to non-column methods such as ->SingleValue; as such, loading as the
    system user was deemed a cleaner solution.

diff --git a/lib/RT/SearchBuilder.pm b/lib/RT/SearchBuilder.pm
index 251bcd0..f399e78 100644
--- a/lib/RT/SearchBuilder.pm
+++ b/lib/RT/SearchBuilder.pm
@@ -480,7 +480,11 @@ sub _LimitCustomField {
     if (blessed($cf) and $cf->id) {
         $cfkey ||= $cf->id;
     } elsif ($cf =~ /^\d+$/) {
-        my $obj = RT::CustomField->new( $self->CurrentUser );
+        # Intentionally load as the system user, so we can build better
+        # queries; this is necessary as we don't have a context object
+        # which might grant the user rights to see the CF.  This object
+        # is only used to inspect the properties of the CF itself.
+        my $obj = RT::CustomField->new( RT->SystemUser );
         $obj->Load($cf);
         if ($obj->id) {
             $cf = $obj;

-----------------------------------------------------------------------


More information about the Rt-commit mailing list