[Rt-commit] rt branch, 4.2/see-queue-groups, repushed

Alex Vandiver alexmv at bestpractical.com
Mon Mar 30 19:42:04 EDT 2015 

The branch 4.2/see-queue-groups was deleted and repushed:
       was a94cb3998c36019791d97264e039057967be94c3
       now a31a88c0a73d129fd3c6e7a1233109008ce94a18

1:  a94cb39 ! 1:  a31a88c Always allow role and system groups to be enumerated
    @@ -11,15 +11,9 @@
         user can see the object the role group is on.  This is a broadening of
         the privileges that previously existed.
         
    -    Note that as this limit applies to ->Next, and not ->AddRecord, and as
    -    ->CurrentUserCanSee is not used to ACL ->_Value, this does not enforce a
    -    group ACL globally.  ->ItemsArrayRef will still return all matching
    -    groups, regardless of rights, and any explicitly loaded group can be
    -    examined.
    -    
    -    Moving the ACL to ->AddRecord is complicated at this time, as users need
    -    the ability to see groups which are watchers on tickets they can see,
    -    which is difficult to impose in a performant manner.
    +    Note that as ->CurrentUserCanSee is not used to ACL ->_Value, this does
    +    not quite enforce a group ACL globally; any explicitly loaded group can
    +    still be examined.
         
         Fixes: I#30416
     
    @@ -64,30 +58,13 @@
     --- a/lib/RT/Groups.pm
     +++ b/lib/RT/Groups.pm
     @@
    - }
    +     # If we've explicitly limited to groups the user is a member of (for
    +     # dashboard or savedsearch privacy objects), skip the ACL.
    +     return unless $self->{with_current_user}
    +-        or $record->CurrentUserHasRight('SeeGroup');
    ++        or $record->CurrentUserCanSee;
      
    - 
    --
    - sub Next {
    -     my $self = shift;
    - 
    --    # Don't show groups which the user isn't allowed to see.
    -+    my $group = $self->SUPER::Next();
    -+    return unless $group;
    - 
    --    my $Group = $self->SUPER::Next();
    --    if ((defined($Group)) and (ref($Group))) {
    --        unless ($Group->CurrentUserHasRight('SeeGroup')) {
    --            return $self->Next();
    --        }
    -+    return $self->Next unless $group->CurrentUserCanSee;
    - 
    --        return $Group;
    --    }
    --    else {
    --        return undef;
    --    }
    -+    return $group;
    +     return $self->SUPER::AddRecord( $record );
      }

More information about the rt-commit mailing list