[Rt-commit] rt branch, 4.2/user-cf-simplesearch, created. rt-4.2.9-76-g56f0f84

Kevin Falcone falcone at bestpractical.com
Wed Feb 4 12:46:17 EST 2015 

The branch, 4.2/user-cf-simplesearch has been created
        at  56f0f841f95ad6edd351e4bad1f300031d655d18 (commit)

- Log -----------------------------------------------------------------
commit 56f0f841f95ad6edd351e4bad1f300031d655d18
Author: Kevin Falcone <falcone at bestpractical.com>
Date:   Fri Jan 30 16:45:40 2015 -0500

    Load a Custom Field to improve searches
    
    Passing the name causes RT to generate a query that joins through
    CustomFields, ObjectCustomFields, ObjectCustomFieldValues and performs
    really poorly on anyone with real data in OCFVs.
    
    If you pass in an id, LimitCustomField will load as SystemUser and
    create better SQL (see a4c8bfa4 for more).  If you pass in a real
    object, there's even more optimizations the code can make.
    
    Loading as SystemUser is concerning, however the Fields to search by are
    pulled from the system configuration and are not tweakable by any of the
    User endpoints.  Someone could write code that calls
    RT::Users->SimpleSearch, but that's outside core.
    
    Code using this system CF object are just inspecting values, so should
    be safe.
    
    The code has always walked around ACLs on the User CF for searching
    becaues it joined to CustomFields by name, without loading the object
    and sanchecking if the currentuser can see it.  This maintains backwards
    compatibility with the behavior, since an admin saying "Search this CF"
    should continue to just work.
    
    If configured with a User CF it cannot load (or if someone calls this
    method on an RT::Users collection) we will not generate a poorly
    performant search and instead will warn and skip the CF.

diff --git a/lib/RT/Users.pm b/lib/RT/Users.pm
index f1ca663..a8e81eb 100644
--- a/lib/RT/Users.pm
+++ b/lib/RT/Users.pm
@@ -624,13 +624,19 @@ sub SimpleSearch {
 
         if ($name =~ /^CF\.(?:\{(.*)}|(.*))$/) {
             my $cfname = $1 || $2;
-            $self->LimitCustomField(
-                CUSTOMFIELD     => $cfname,
-                OPERATOR        => $op,
-                VALUE           => $args{Term},
-                ENTRYAGGREGATOR => 'OR',
-                SUBCLAUSE       => 'autocomplete',
-            );
+            my $cf = RT::CustomField->new(RT->SystemUser);
+            my ($ok, $msg) = $cf->LoadByName( Name => $cfname, LookupType => 'RT::User');
+            if ( $ok ) {
+                $self->LimitCustomField(
+                    CUSTOMFIELD     => $cf->Id,
+                    OPERATOR        => $op,
+                    VALUE           => $args{Term},
+                    ENTRYAGGREGATOR => 'OR',
+                    SUBCLAUSE       => 'autocomplete',
+                );
+            } else {
+                RT->Logger->warning("Asked to search custom field $name but unable to load a User CF with the name $cfname: $msg");
+            }
         } else {
             $self->Limit(
                 FIELD           => $name,

-----------------------------------------------------------------------

More information about the rt-commit mailing list