[Rt-commit] rt branch, 4.0/customfieldlookupid-acl-regression, created. rt-4.0.9-16-gac97163

Kevin Falcone falcone at bestpractical.com
Wed Jan 23 15:43:39 EST 2013 

The branch, 4.0/customfieldlookupid-acl-regression has been created
        at  ac97163f131511f5b8955b500e32b04ba4bba5fa (commit)

- Log -----------------------------------------------------------------
commit f04143ffa39a062011c2b4a93f05e36864c78e96
Author: Kevin Falcone <falcone at bestpractical.com>
Date:   Wed Jan 23 15:34:11 2013 -0500

    Ensure that Custom Fields submitted are saved to the database.
    
    There was a regression in 4.0.9 (a64a16d1c) which meant that even if you
    had SeeQueue, CreateTicket, ModifyCustomField and SeeCustomField and the
    custom field appeared for editing, it would be lost during the
    submission.  If you had ShowTicket, it worked fine.

diff --git a/t/security/embargo b/t/security/embargo
new file mode 120000
index 0000000..9ff2299
--- /dev/null
+++ b/t/security/embargo
@@ -0,0 +1 @@
+/Users/falcone/work/private-git/rt-security-tests/
\ No newline at end of file
diff --git a/t/web/ticket_display.t b/t/web/ticket_display.t
index a9cab0c..35e9217 100644
--- a/t/web/ticket_display.t
+++ b/t/web/ticket_display.t
@@ -1,7 +1,7 @@
 use strict;
 use warnings;
 
-use RT::Test tests => 18;
+use RT::Test tests => undef;
 
 my $queue = RT::Test->load_or_create_queue( Name => 'General' );
 
@@ -10,10 +10,15 @@ my $user = RT::Test->load_or_create_user(
     Password => 'password',
 );
 
+my $cf = RT::Test->load_or_create_custom_field( Name => 'test_cf', Queue => $queue->Name, Type => 'FreeformSingle' );
+my $cf_form_id = 'Object-RT::Ticket--CustomField-'.$cf->Id.'-Value';
+my $cf_test_value = "some string for test_cf $$";
+
 my ( $baseurl, $m ) = RT::Test->started_ok;
 ok(
     RT::Test->set_rights(
         { Principal => $user, Right => [qw(SeeQueue CreateTicket)] },
+        { Principal => $user, Object => $queue, Right => [qw(SeeCustomField ModifyCustomField)] }
     ),
     'set rights'
 );
@@ -26,7 +31,7 @@ diag "test ShowTicket right";
     $m->get_ok( '/Ticket/Create.html?Queue=' . $queue->id,
         'go to ticket create page' );
     my $form = $m->form_name('TicketCreate');
-    $m->submit_form( fields => { Subject => 'ticket foo' } );
+    $m->submit_form( fields => { Subject => 'ticket foo', $cf_form_id => $cf_test_value } );
 
     my $ticket = RT::Test->last_ticket;
     ok( $ticket->id, 'ticket is created' );
@@ -56,8 +61,9 @@ diag "test ShowTicket right";
 
     $m->content_lacks( "No permission to view ticket", 'no error msg' );
     $m->title_is( "#$id: ticket foo", 'we can it' );
+    $m->content_contains($cf_test_value, "Custom Field was submitted and saved");
 }
 
 
-# TODO more /Ticket/Display.html tests here
-
+undef $m;
+done_testing();

commit ac97163f131511f5b8955b500e32b04ba4bba5fa
Author: Kevin Falcone <falcone at bestpractical.com>
Date:   Wed Jan 23 15:36:34 2013 -0500

    Check the id from the table and by loading the Object.
    
    An optimization was added in a64a16d1c so that if you were trying to
    find the "Custom Field Object" from a Ticket, it would shortcut and
    return $ticket->Queue rather than loading $ticket->QueueObj->Id.
    
    Unfortunately, $ticket->Queue is protected by ShowTicket while
    $ticket->QueueObj->Id is protected by SeeQueue.  It's not uncommon in RT
    for a user to be granted SeeQueue and CreateTicket but not be given
    ShowTicket (a dropbox queue where you create tickets but then don't see
    them anymore).
    
    In this setup on 4.0.9, any custom field values entered on
    Ticket/Create.html will be silently discarded because $ticket->Queue
    returns undef. This results in the Custom Field not being found and
    AddCustomFieldValue not saving it.
    
    This was revealed in the RTIR test suite which tests just such a
    scenario using Constituencies (you can submit a ticket that you then
    can't see because it belongs to a separate Constituency).

diff --git a/lib/RT/Record.pm b/lib/RT/Record.pm
index 8dcf4d1..0310475 100644
--- a/lib/RT/Record.pm
+++ b/lib/RT/Record.pm
@@ -1597,7 +1597,12 @@ sub CustomFieldLookupId {
 	$object = $object->$method;
     }
 
-    return $object->$final;
+    my $id = $object->$final;
+    unless (defined $id) {
+        my $method = "${final}Obj";
+        $id = $object->$method->Id;
+    }
+    return $id;
 }
 
 

-----------------------------------------------------------------------

More information about the Rt-commit mailing list