[Rt-commit] rt branch, 4.2/user-cf-simplesearch, created. rt-4.2.9-76-g24bea75

Kevin Falcone falcone at bestpractical.com
Fri Jan 30 16:57:22 EST 2015 

The branch, 4.2/user-cf-simplesearch has been created
        at  24bea750e068f094ba0984326321f6d2c574e9af (commit)

- Log -----------------------------------------------------------------
commit 24bea750e068f094ba0984326321f6d2c574e9af
Author: Kevin Falcone <falcone at bestpractical.com>
Date:   Fri Jan 30 16:45:40 2015 -0500

    Load a Custom Field to improve searches
    
    Passing the name causes RT to generate a query that joins through
    CustomFields, ObjectCustomFields, ObjectCustomFieldValues and performs
    really poorly on anyone with real data in OCFVs.
    
    If you pass in an id, LimitCustomField will load as SystemUser and
    create better SQL (see a4c8bfa4 for more).  If you pass in a real
    object, there's even more optimizations the code can make.
    
    Loading as SystemUser is concerning, however the Fields to search by are
    pulled from the system configuration and are not tweakable by any of the
    User endpoints.  Someone could write code that calls
    RT::Users->SimpleSearch, but that's outside core.
    
    Code using this system CF object are just inspecting values, so should
    be safe.
    
    The code has always walked around ACLs on the User CF for searching
    becaues it joined to CustomFields by name, without loading the object
    and sanchecking if the currentuser can see it.  This maintains backwards
    compatibility with the behavior, since an admin saying "Search this CF"
    should continue to just work.

diff --git a/lib/RT/Users.pm b/lib/RT/Users.pm
index f1ca663..bbbca1c 100644
--- a/lib/RT/Users.pm
+++ b/lib/RT/Users.pm
@@ -624,8 +624,11 @@ sub SimpleSearch {
 
         if ($name =~ /^CF\.(?:\{(.*)}|(.*))$/) {
             my $cfname = $1 || $2;
+            my $cf = RT::CustomField->new($self->CurrentUser);
+            $cf->LoadByName( Name => $cfname, LookupType => 'RT::User');
+            my $cfsearch = $cf->Id ? $cf : $cfname;
             $self->LimitCustomField(
-                CUSTOMFIELD     => $cfname,
+                CUSTOMFIELD     => $cfsearch,
                 OPERATOR        => $op,
                 VALUE           => $args{Term},
                 ENTRYAGGREGATOR => 'OR',

-----------------------------------------------------------------------

More information about the rt-commit mailing list