[Rt-commit] rt branch, 4.4/right-granted-message, created. rt-4.2.11-176-gebdae97

Dustin Graves dustin at bestpractical.com
Thu Sep 17 14:54:44 EDT 2015

The branch, 4.4/right-granted-message has been created
        at  ebdae97bca07f57c8c9178e04cf981066c9de76a (commit)

- Log -----------------------------------------------------------------
commit ebdae97bca07f57c8c9178e04cf981066c9de76a
Author: Dustin Graves <dustin at bestpractical.com>
Date:   Tue Aug 4 16:20:43 2015 -0400

    Mention principal and right in granted and revoked messages
    Also fix an error message to use the new better method for principal name
    Fixes: I#30959

diff --git a/lib/RT/ACE.pm b/lib/RT/ACE.pm
index b6e9815..7ebad76 100644
--- a/lib/RT/ACE.pm
+++ b/lib/RT/ACE.pm
@@ -269,7 +269,7 @@ sub Create {
     if ( $self->Id ) {
         return ( 0, $self->loc('[_1] already has the right [_2] on [_3] [_4]',
-                    $princ_obj->Object->Name, $args{'RightName'}, $args{'ObjectType'},  $args{'ObjectId'}) );
+                    $princ_obj->DisplayName, $args{'RightName'}, $args{'ObjectType'},  $args{'ObjectId'}) );
     my $id = $self->SUPER::Create( PrincipalId   => $princ_obj->id,
@@ -285,7 +285,7 @@ sub Create {
             RightName   => $self->RightName,
             ACE         => $self,
-        return ( $id, $self->loc('Right Granted') );
+        return ( $id, $self->loc("Granted right '[_1]' to [_2].", $self->RightName, $princ_obj->DisplayName));
     else {
         return ( 0, $self->loc('System error. Right not granted.') );
@@ -336,7 +336,7 @@ sub _Delete {
     if ($val) {
         RT::ACE->InvalidateCaches( Action => "Revoke", RightName => $right );
         $RT::Handle->Commit() unless $InsideTransaction;
-        return ( $val, $self->loc('Right revoked') );
+        return ( $val, $self->loc("Revoked right '[_1]' from [_2].", $right, $self->PrincipalObj->DisplayName));
     $RT::Handle->Rollback() unless $InsideTransaction;
diff --git a/lib/RT/Principal.pm b/lib/RT/Principal.pm
index 8cf509d..b09060d 100644
--- a/lib/RT/Principal.pm
+++ b/lib/RT/Principal.pm
@@ -146,7 +146,23 @@ sub Object {
+=head2 DisplayName
+Returns the relevant display name for this principal
+sub DisplayName {
+    my $self = shift;
+    return undef unless $self->Object;
+    # If this principal is an ACLEquivalence group, return the user name
+    return $self->Object->InstanceObj->Name if ($self->Object->Domain eq 'ACLEquivalence');
+    # Otherwise, show the group name
+    return $self->Object->Name;
 =head2 GrantRight  { Right => RIGHTNAME, Object => undef }
diff --git a/t/web/rights.t b/t/web/rights.t
index c7e8aac..8f44639 100644
--- a/t/web/rights.t
+++ b/t/web/rights.t
@@ -1,82 +1,271 @@
 use strict;
 use warnings;
-use RT::Test tests => 14;
+use RT::Test tests => undef;
 my ($baseurl, $m) = RT::Test->started_ok;
 ok $m->login, "logged in";
-$m->follow_link_ok({ id => 'admin-global-group-rights'});
 sub get_rights {
     my $agent = shift;
     my $principal_id = shift;
     my $object = shift;
-    $agent->form_name('ModifyGroupRights');
+    my $form_name = shift;
+    $agent->form_name($form_name);
     my @inputs = $agent->current_form->find_input("SetRights-$principal_id-$object");
     my @rights = sort grep $_, map $_->possible_values, grep $_ && $_->value, @inputs;
     return @rights;
-diag "load Everyone group";
-my ($everyone, $everyone_gid);
-    $everyone = RT::Group->new( RT->SystemUser );
-    $everyone->LoadSystemInternalGroup('Everyone');
-    ok($everyone_gid = $everyone->id, "loaded 'everyone' group");
+sub test_role {
+    my $role_name = shift;
+    my $right_name = shift;
+    $m->follow_link_ok({ id => 'admin-global-group-rights'});
+    diag "load $role_name role group";
+    my $group = RT::Group->new( RT->SystemUser );
+    $group->LoadRoleGroup( Object => RT->System, Name => $role_name );
+    ok($group->id, "loaded '$role_name' role group");
+    rights_for_group_ok ( $group, $role_name, $right_name, 'ModifyGroupRights' );
-diag "revoke all global rights from Everyone group";
-my @has = get_rights( $m, $everyone_gid, 'RT::System-1' );
-if ( @has ) {
-    $m->form_name('ModifyGroupRights');
-    $m->untick("SetRights-$everyone_gid-RT::System-1", $_) foreach @has;
-    $m->submit;
-    is_deeply([get_rights( $m, $everyone_gid, 'RT::System-1' )], [], 'deleted all rights' );
-} else {
-    ok(1, 'the group has no global rights');
+sub test_system_internal_group {
+    my $group_name = shift;
+    my $right_name = shift;
+    $m->follow_link_ok({ id => 'admin-global-group-rights'});
+    diag "load $group_name group";
+    my $group = RT::Group->new( RT->SystemUser );
+    $group->LoadSystemInternalGroup($group_name);
+    ok($group->id, "loaded '$group_name' system internal group");
+    rights_for_group_ok ( $group, $group_name, $right_name, 'ModifyGroupRights' );
-diag "grant SuperUser right to everyone";
-    $m->form_name('ModifyGroupRights');
-    $m->tick("SetRights-$everyone_gid-RT::System-1", 'SuperUser');
-    $m->submit;
+sub test_user_defined_group {
+    my $user_group = shift;
+    my $group_name = shift;
+    my $right_name = shift;
-    $m->content_contains('Right Granted', 'got message');
-    RT::Principal::InvalidateACLCache();
-    ok($everyone->PrincipalObj->HasRight( Right => 'SuperUser', Object => $RT::System ), 'group has right');
-    is_deeply( [get_rights( $m, $everyone_gid, 'RT::System-1' )], ['SuperUser'], 'granted SuperUser right' );
+    my $user_group_id = $user_group->id;
+    my $user_group_name = $user_group->Name;
+    $m->get_ok("/Admin/Groups/GroupRights.html?id=$user_group_id");
+    diag "load $user_group_name group";
+    my $group = RT::Group->new( RT->SystemUser );
+    $group->LoadSystemInternalGroup($group_name);
+    ok($group->id, "loaded '$group_name' system internal group");
+    rights_for_group_ok ( $group, $group_name, $right_name, 'ModifyGroupRights', "RT::Group-$user_group_id", $user_group);
-diag "revoke the right";
-    $m->form_name('ModifyGroupRights');
-    $m->untick("SetRights-$everyone_gid-RT::System-1", 'SuperUser');
-    $m->submit;
+sub test_user {
+    my $user_name = shift;
+    my $right_name = shift;
+    $m->follow_link_ok({ id => 'admin-global-user-rights'});
+    diag "load $user_name";
+    my $user = RT::User->new( RT->SystemUser );
+    $user->Load($user_name);
+    ok($user->id, "loaded user '$user_name'");
+    diag "load $user_name group";
+    my $group = RT::Group->new( RT->SystemUser );
+    $group->LoadACLEquivalenceGroup($user->PrincipalId);
+    ok($group->id, "loaded '$user_name' UserEquiv group");
+    rights_for_group_ok ( $group, $user_name, $right_name, 'ModifyUserRights' );
+sub test_system_internal_queue_group {
+    my $queue_name = shift;
+    my $group_name = shift;
+    my $right_name = shift;
+    my $queue = RT::Queue->new( RT->SystemUser );
+    $queue->Load($queue_name);
+    $m->get_ok('/Admin/Queues/GroupRights.html?id=' . $queue->id);
+    diag "load $group_name group";
+    my $group = RT::Group->new( RT->SystemUser );
+    $group->LoadSystemInternalGroup($group_name);
+    ok($group->id, "loaded '$group_name' system internal group");
+    rights_for_group_ok ( $group, $group_name, $right_name, 'ModifyGroupRights', 'RT::Queue-'.$queue->id, $queue);
+sub test_system_internal_queue_role {
+    my $queue_name = shift;
+    my $role_name = shift;
+    my $right_name = shift;
+    my $queue = RT::Queue->new( RT->SystemUser );
+    $queue->Load($queue_name);
+    $m->get_ok('/Admin/Queues/GroupRights.html?id=' . $queue->id);
+    diag "load $role_name role group";
+    my $group = RT::Group->new( RT->SystemUser );
+    $group->LoadRoleGroup( Object => $queue, Name => $role_name );
+    ok($group->id, "loaded '$role_name' role group");
-    $m->content_contains('Right revoked', 'got message');
-    RT::Principal::InvalidateACLCache();
-    ok(!$everyone->PrincipalObj->HasRight( Right => 'SuperUser', Object => $RT::System ), 'group has no right');
-    is_deeply( [get_rights( $m, $everyone_gid, 'RT::System-1' )], [], 'revoked SuperUser right' );
+    rights_for_group_ok ( $group, $role_name, $right_name, 'ModifyGroupRights', 'RT::Queue-'.$queue->id, $queue);
+sub rights_for_group_ok {
+    my $group = shift;
+    my $group_name = shift;
+    my $right_name = shift;
+    my $form_name = shift;
-diag "return rights the group had in the beginning";
-if ( @has ) {
-    $m->form_name('ModifyGroupRights');
-    $m->tick("SetRights-$everyone_gid-RT::System-1", $_) for @has;
-    $m->submit;
-    $m->content_contains('Right Granted', 'got message');
-    is_deeply(
-        [ get_rights( $m, $everyone_gid, 'RT::System-1' ) ],
-        [ @has ],
-        'returned back all rights'
-    );
-} else {
-    ok(1, 'the group had no global rights, so nothing to return');
+    my $html_element_suffix = shift || 'RT::System-1';
+    my $right_context_obj = shift || $RT::System;
+    my $html_element_id = $group->id;
+    # if we have a non-system instance object, use that as the id
+    if ($group->InstanceObj && $group->Instance > 1) {
+        $html_element_id = $group->Instance;
+    }
+    my $is_user = $form_name eq 'ModifyUserRights';
+    my $is_root_user = $is_user && $group_name eq 'root';
+    diag "revoke all global rights from $group_name group";
+    my @original_rights = get_rights( $m, $html_element_id, $html_element_suffix, $form_name );
+    # this is important because all of the checkbox ids change if we're trying to modify a new user
+    my $user_missing_from_list = $is_user && !$is_root_user;
+    # We can't remove the SuperUser right from root or else we won't be able to access the admin section
+    if ($is_root_user) {
+        @original_rights = grep { $_ ne 'SuperUser' } @original_rights;
+    }
+    if ( @original_rights ) {
+        $m->form_name($form_name);
+        if ($is_root_user) {
+            $m->untick("SetRights-$html_element_id-$html_element_suffix", $_) foreach (@original_rights);
+            $m->submit;
+            is_deeply([get_rights( $m, $html_element_id, $html_element_suffix, $form_name )], ['SuperUser'], 'deleted all rights but SuperUser' );
+        } elsif (not $user_missing_from_list) {
+            $m->untick("SetRights-$html_element_id-$html_element_suffix", $_) foreach @original_rights;
+            $m->submit;
+            is_deeply([get_rights( $m, $html_element_id, $html_element_suffix, $form_name )], [], 'deleted all rights' );
+        }
+    } else {
+        ok(1, 'the group has no global rights');
+    }
+    diag "grant $right_name right to $group_name group";
+    {
+        $m->form_name($form_name);
+        if ($user_missing_from_list) {
+            # we must enter the username into the 'ADD USER' textbox
+            $m->field('AddPrincipalForRights-user', $group_name);
+            $m->tick("SetRights-addprincipal-$html_element_suffix", $right_name);
+            $m->submit;
+        } else {
+            $m->tick("SetRights-$html_element_id-$html_element_suffix", $right_name);
+            $m->submit;
+        }
+        if ($right_name eq 'AssignCustomFields') {
+            print "\n$html_element_id $html_element_suffix\n";
+        }
+        $m->text_contains("Granted right '$right_name' to $group_name", 'got message');
+        RT::Principal::InvalidateACLCache();
+        my $rights = $group->PrincipalObj->HasRights( Object => $right_context_obj );
+        ok($rights->{$right_name}, 'group has right');
+        is_deeply(
+            [get_rights( $m, $html_element_id, $html_element_suffix, $form_name )],
+            $is_root_user ? [$right_name, 'SuperUser'] : [$right_name],
+            "granted $right_name right" );
+    }
+    diag "revoke the $right_name right from $group_name group";
+    {
+        $m->form_name($form_name);
+        $m->untick("SetRights-$html_element_id-$html_element_suffix", $right_name);
+        $m->submit;
+        $m->text_contains("Revoked right '$right_name' from $group_name", 'got message');
+        RT::Principal::InvalidateACLCache();
+        my $rights = $group->PrincipalObj->HasRights( Object => $right_context_obj );
+        ok(!$rights->{$right_name}, 'group does not have right');
+        is_deeply(
+            [get_rights( $m, $html_element_id, $html_element_suffix, $form_name )],
+            $is_root_user ? ['SuperUser'] : [],
+            "revoked $right_name right" );
+    }
+    diag "return rights the $group_name group had in the beginning";
+    if ( @original_rights ) {
+        $m->form_name($form_name);
+        $m->tick("SetRights-$html_element_id-$html_element_suffix", $_) for @original_rights;
+        $m->submit;
+        $m->text_contains("Granted right '$_' to $group_name", 'got message') foreach (@original_rights);
+        is_deeply(
+            [ get_rights( $m, $html_element_id, $html_element_suffix, $form_name ) ],
+            [ @original_rights ],
+            'returned back all rights'
+        );
+    } else {
+        ok(1, 'the group had no global rights, so nothing to return');
+    }
+# User rights tests
+test_user ( 'root', 'CreateSavedSearch' );
+my ($test_user_name, $test_user) = ('rights-test-000', RT::User->new( RT->SystemUser ));
+diag "create $test_user_name test user";
+$test_user->Create( Name => $test_user_name, Privileged => 1);
+test_user ( $test_user_name, 'CreateTicket' );
+# Group rights tests
+test_system_internal_group ( 'Everyone', 'SuperUser' );
+test_system_internal_group ( 'Privileged', 'DeleteTicket' );
+test_system_internal_group ( 'Unprivileged', 'Watch' );
+# Role rights tests
+test_role ( 'AdminCc', 'ModifyACL' );
+test_role ( 'Cc', 'DeleteTicket' );
+test_role ( 'Owner', 'SeeQueue' );
+test_role ( 'Requestor', 'CreateTicket' );
+# User-defined group tests
+my ($user_group_name, $user_group) = ('rights user group test', RT::Group->new( RT->SystemUser ));
+diag "create $user_group_name custom user group";
+$user_group->CreateUserDefinedGroup( Name => $user_group_name, Description => '' );
+test_user_defined_group ( $user_group, 'Everyone', 'ModifyOwnMembership' );
+test_user_defined_group ( $user_group, 'Privileged', 'SeeGroup' );
+test_user_defined_group ( $user_group, 'Unprivileged', 'AdminGroup' );
+# Queue tests
+test_system_internal_queue_group ( 'General', 'Everyone', 'ShowTemplate' );
+test_system_internal_queue_group ( 'General', 'Privileged', 'ModifyTicket' );
+test_system_internal_queue_group ( 'General', 'Unprivileged', 'Watch' );
+test_system_internal_queue_role ( 'General', 'AdminCc', 'AssignCustomFields' );
+test_system_internal_queue_role ( 'General', 'Cc', 'ModifyScrips' );
+test_system_internal_queue_role ( 'General', 'Owner', 'ForwardMessage' );
+test_system_internal_queue_role ( 'General', 'Requestor', 'SeeQueue' );
+undef $m;


More information about the rt-commit mailing list