[Rt-commit] rt branch, 4.2/see-queue-groups, created. rt-4.2.9-61-ga94cb39
Alex Vandiver
alexmv at bestpractical.com
Tue Dec 30 13:41:34 EST 2014
The branch, 4.2/see-queue-groups has been created
at a94cb3998c36019791d97264e039057967be94c3 (commit)
- Log -----------------------------------------------------------------
commit a94cb3998c36019791d97264e039057967be94c3
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Tue Dec 30 13:13:01 2014 -0500
Always allow role and system groups to be enumerated
Previously, the SeeGroup right controlled RT::Groups results even for
internal groups; this caused the queue rights page for a user with
AdminQueue but not SeeGroup to not list Everyone / Privileged /
Unprivileged, nor the queue role groups.
Allow system groups to always be seen, and role groups to be seen if the
user can see the object the role group is on. This is a broadening of
the privileges that previously existed.
Note that as this limit applies to ->Next, and not ->AddRecord, and as
->CurrentUserCanSee is not used to ACL ->_Value, this does not enforce a
group ACL globally. ->ItemsArrayRef will still return all matching
groups, regardless of rights, and any explicitly loaded group can be
examined.
Moving the ACL to ->AddRecord is complicated at this time, as users need
the ability to see groups which are watchers on tickets they can see,
which is difficult to impose in a performant manner.
Fixes: I#30416
diff --git a/lib/RT/Group.pm b/lib/RT/Group.pm
index f38f7a1..ebe1cc1 100644
--- a/lib/RT/Group.pm
+++ b/lib/RT/Group.pm
@@ -1358,15 +1358,28 @@ sub _Set {
=head2 CurrentUserCanSee
-Always returns 1; unfortunately, for historical reasons, users have
-always been able to examine groups they have indirect access to, even if
-they do not have SeeGroup explicitly.
+Returns 1 if the group is user-defined and the user has SeeGroup on it;
+returns 1 for internal groups, or role groups on objects which the user
+has permissions to see.
=cut
sub CurrentUserCanSee {
my $self = shift;
- return 1;
+
+ if ($self->Domain eq "UserDefined") {
+ return $self->CurrentUserHasRight("SeeGroup");
+ } elsif ($self->Domain eq "SystemInternal") {
+ return 1;
+ } elsif ($self->Domain eq "ACLEquivalence") {
+ return 1;
+ } elsif ($self->RoleClass) {
+ my $role = $self->RoleGroupObject;
+ return $role->CurrentUserCanSee if $role->can("CurrentUserCanSee");
+ return 1;
+ } else {
+ return 1;
+ }
}
diff --git a/lib/RT/Groups.pm b/lib/RT/Groups.pm
index 1ecc312..820cc87 100644
--- a/lib/RT/Groups.pm
+++ b/lib/RT/Groups.pm
@@ -458,27 +458,18 @@ sub LimitToDeleted {
}
-
sub Next {
my $self = shift;
- # Don't show groups which the user isn't allowed to see.
+ my $group = $self->SUPER::Next();
+ return unless $group;
- my $Group = $self->SUPER::Next();
- if ((defined($Group)) and (ref($Group))) {
- unless ($Group->CurrentUserHasRight('SeeGroup')) {
- return $self->Next();
- }
+ return $self->Next unless $group->CurrentUserCanSee;
- return $Group;
- }
- else {
- return undef;
- }
+ return $group;
}
-
sub _DoSearch {
my $self = shift;
diff --git a/lib/RT/Ticket.pm b/lib/RT/Ticket.pm
index 6059eb0..6988766 100644
--- a/lib/RT/Ticket.pm
+++ b/lib/RT/Ticket.pm
@@ -2854,7 +2854,7 @@ sub CurrentUserCanSee {
my ($what, $txn) = @_;
return 0 unless $self->CurrentUserHasRight('ShowTicket');
- return 1 if $what ne "Transaction";
+ return 1 unless $what and $what eq "Transaction";
# If it's a comment, we need to be extra special careful
my $type = $txn->__Value('Type');
-----------------------------------------------------------------------
More information about the rt-commit
mailing list