[Rt-commit] rt branch, 4.2/grant-rights-to-roles-on-cfs, created. rt-4.1.6-137-gfefbe84
Thomas Sibley
trs at bestpractical.com
Thu Jan 24 13:40:19 EST 2013
The branch, 4.2/grant-rights-to-roles-on-cfs has been created
at fefbe8433acbc911c0c48fbce12214e02f23e10e (commit)
- Log -----------------------------------------------------------------
commit fefbe8433acbc911c0c48fbce12214e02f23e10e
Author: Thomas Sibley <trs at bestpractical.com>
Date: Fri Jan 11 13:44:35 2013 -0800
Expose the ability to grant rights to roles on custom fields
Roles for the CF's LookupType — specifically the record class that CFs
are added to — are shown. This means the roles listed will vary
depending on the type of CF. The utility of this is that you can grant
Requestors rights on per-CF basis instead of granting them same rights
on all CFs on a per-queue basis. Previously the only option for the
former was to use user-defined groups and grant permissions a bit to
broadly, which was only acceptable because you could then limit who
could get to the CFs in the web UI by rights like ShowTicket. This
workaround was a bit of a drag, though.
Since there is no context object — and splitting out the same set of
roles for each record the CF is added to leads to a horrible UI — only
support granting rights to the global role groups.
There is certainly utility in being able to grant a right to a role
group on a specific CF application (i.e. a specific queue), and the ACL
system supports it. However, the UI would be burdensome without a lot
of work, and it adds complexity to an already complex rights interface.
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 09a0027..b88aca1 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -3391,12 +3391,29 @@ sub GetPrincipalsMap {
}
elsif (/Roles/) {
my $roles = RT::Groups->new($session{'CurrentUser'});
- $roles->LimitToRolesForObject($object);
- $roles->OrderBy( FIELD => 'Type', ORDER => 'ASC' );
- push @map, [
- 'Roles' => $roles, # loc_left_pair
- 'Type' => 1
- ];
+
+ if ($object->isa("RT::CustomField")) {
+ # If we're a custom field, show the global roles for our LookupType.
+ my $class = $object->RecordClassFromLookupType;
+ if ($class and $class->DOES("RT::Record::Role::Roles")) {
+ $roles->LimitToRolesForObject(RT->System);
+ $roles->Limit( FIELD => "Type", VALUE => $_ )
+ for $class->Roles;
+ } else {
+ # No roles to show; so show nothing
+ undef $roles;
+ }
+ } else {
+ $roles->LimitToRolesForObject($object);
+ }
+
+ if ($roles) {
+ $roles->OrderBy( FIELD => 'Type', ORDER => 'ASC' );
+ push @map, [
+ 'Roles' => $roles, # loc_left_pair
+ 'Type' => 1
+ ];
+ }
}
elsif (/Users/) {
my $Users = RT->PrivilegedUsers->UserMembersObj();
diff --git a/share/html/Admin/CustomFields/GroupRights.html b/share/html/Admin/CustomFields/GroupRights.html
index e58268f..b8096a8 100644
--- a/share/html/Admin/CustomFields/GroupRights.html
+++ b/share/html/Admin/CustomFields/GroupRights.html
@@ -70,7 +70,7 @@ my @results = ProcessACLs( \%ARGS );
my $title = loc('Modify group rights for custom field [_1]', $CustomFieldObj->Name);
# Principal collections
-my @principals = GetPrincipalsMap($CustomFieldObj, qw(System Groups));
+my @principals = GetPrincipalsMap($CustomFieldObj, qw(System Roles Groups));
</%INIT>
<%ARGS>
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list