[Rt-commit] rt branch, 4.4/groupdashboards-savedsearches-rights, created. rt-4.4.2-52-gac982f0

Maureen Mirville maureen at bestpractical.com
Mon Dec 18 09:53:31 EST 2017


The branch, 4.4/groupdashboards-savedsearches-rights has been created
        at  ac982f053b9a41f741251d70ff7d098a0250dce3 (commit)

- Log -----------------------------------------------------------------
commit 1669856386926b67e8ea3221998311fba2d39d43
Author: Maureen E. Mirville <maureen at bestpractical.com>
Date:   Fri Dec 15 14:15:22 2017 -0500

    Fix bug on groups granted 'SeeGroupDashboard' or 'ShowSavedSearches'
    
    Groups granted 'SeeGroupDashboard' or 'ShowSavedSearches' rights
    on a second group, previously, could only see the dashboard or
    saved searches if the group members were also in the second group.
    This fix allows for members of one group with these rights on
    another to view the dashboard or saved searches of the other group
    without membership.

diff --git a/lib/RT/Dashboard.pm b/lib/RT/Dashboard.pm
index 7f76853..3f0de65 100644
--- a/lib/RT/Dashboard.pm
+++ b/lib/RT/Dashboard.pm
@@ -402,7 +402,34 @@ sub ObjectsForLoading {
         FIELD => 'Name',
         VALUE => 'Dashboard',
     );
+    my $groups2 = RT::Groups->new($CurrentUser);
+    $groups2->LimitToUserDefinedGroups;
+    $groups2->ForWhichCurrentUserHasRight(
+        Right             => 'SeeGroupDashboard',
+        IncludeSuperusers => 0,
+    );
+    my $attrs2 = $groups2->Join(
+        ALIAS1 => 'main',
+        FIELD1 => 'id',
+        TABLE2 => 'Attributes',
+        FIELD2 => 'ObjectId',
+    );
+    $groups2->Limit(
+        ALIAS => $attrs2,
+        FIELD => 'ObjectType',
+        VALUE => 'RT::Group',
+    );
+    $groups2->Limit(
+        ALIAS => $attrs2,
+        FIELD => 'Name',
+        VALUE => 'Dashboard',
+    );
     push @objects, @{ $groups->ItemsArrayRef };
+    push @objects, @{ $groups2->ItemsArrayRef };
+
+    # remove duplicates from @objects:
+    my %seen;
+    @objects = grep !$seen{$_->Id}++, @objects;
 
     # Finally, if you have been granted the SeeDashboard right (which
     # you could have by way of global user right or global group right),
diff --git a/lib/RT/SavedSearch.pm b/lib/RT/SavedSearch.pm
index 8bb1452..593b2aa 100644
--- a/lib/RT/SavedSearch.pm
+++ b/lib/RT/SavedSearch.pm
@@ -162,6 +162,10 @@ sub _PrivacyObjects {
 
     my $groups = RT::Groups->new($CurrentUser);
     $groups->LimitToUserDefinedGroups;
+    $groups->ForWhichCurrentUserHasRight(
+        Right             => 'ShowSavedSearches',
+        IncludeSuperusers => 0,
+    );
     $groups->WithCurrentUser;
     if ($has_attr) {
         my $attrs = $groups->Join(
@@ -181,8 +185,39 @@ sub _PrivacyObjects {
             VALUE => $has_attr,
         );
     }
+    my $groupsB = RT::Groups->new($CurrentUser);
+    $groupsB->LimitToUserDefinedGroups;
+    $groupsB->ForWhichCurrentUserHasRight(
+        Right             => 'ShowSavedSearches',
+        IncludeSuperusers => 0,
+    );
+    if ($has_attr) {
+        my $attrsB = $groupsB->Join(
+            ALIAS1 => 'main',
+            FIELD1 => 'id',
+            TABLE2 => 'Attributes',
+            FIELD2 => 'ObjectId',
+        );
+        $groupsB->Limit(
+            ALIAS => $attrsB,
+            FIELD => 'ObjectType',
+            VALUE => 'RT::Group',
+        );
+        $groupsB->Limit(
+            ALIAS => $attrsB,
+            FIELD => 'Name',
+            VALUE => $has_attr,
+        );
+    }
+    my @objects = $CurrentUser->UserObj;
+    push @objects, @{ $groups->ItemsArrayRef };
+    push @objects, @{ $groupsB->ItemsArrayRef };
+
+    # remove duplicates:
+    my %seen;
+    @objects = grep !$seen{$_->Id}++, @objects;
 
-    return ( $CurrentUser->UserObj, @{ $groups->ItemsArrayRef() } );
+    return @objects;
 }
 
 sub ObjectsForLoading {
diff --git a/lib/RT/SharedSetting.pm b/lib/RT/SharedSetting.pm
index 30f9e09..d713625 100644
--- a/lib/RT/SharedSetting.pm
+++ b/lib/RT/SharedSetting.pm
@@ -423,10 +423,9 @@ sub _GetObject {
     }
 
     if (   $obj_type eq 'RT::Group'
-        && !$object->HasMemberRecursively($self->CurrentUser->PrincipalObj)
-        && !$self->CurrentUser->HasRight( Object => $RT::System, Right => 'SuperUser' ) ) {
+        && !$self->CurrentUser->HasRight( Object => $object, Right => 'SeeGroupDashboard' ) ) {
         $RT::Logger->debug("Permission denied, ".$self->CurrentUser->Name.
-                           " is not a member of group");
+                           " does not have rights to see group dashboard" );
         return undef;
     }
 

commit ac982f053b9a41f741251d70ff7d098a0250dce3
Author: Maureen E. Mirville <maureen at bestpractical.com>
Date:   Mon Dec 18 09:50:02 2017 -0500

    Update tests for 'SeeGroupDashboard' or 'ShowSavedSearches' bug fix
    
    Tests updated for group rights granted on another group (see
    previous commit #16698563) bug fix.

diff --git a/t/web/dashboards-groups.t b/t/web/dashboards-groups.t
index 9f1c37d..a11ef5b 100644
--- a/t/web/dashboards-groups.t
+++ b/t/web/dashboards-groups.t
@@ -1,7 +1,7 @@
 use strict;
 use warnings;
 
-use RT::Test nodata => 1, tests => 64;
+use RT::Test nodata => 1, tests => undef;
 my ($baseurl, $m) = RT::Test->started_ok;
 
 my $url = $m->rt_base_url;
@@ -193,3 +193,48 @@ $m->get_ok("/Dashboards/index.html");
 $m->content_contains("inner dashboard", "The dashboards list includes superuser rights");
 $m->get_ok("/Prefs/DashboardsInMenu.html");
 $m->content_lacks("inner dashboard", "But the menu skips them");
+
+# remove user from inner group
+($ok, $msg) = $outer_group->DeleteMember($inner_group->PrincipalId);
+ok($ok, "removed inner as a member of outer: $msg");
+
+# add user to outer group
+($ok, $msg) = $outer_group->AddMember($user_obj->PrincipalId);
+ok($ok, "added user as a member of outer group: $msg");
+
+# grant user right to see and create group dashboards for outer group
+$user_obj->PrincipalObj->GrantRight(
+    Right  => 'SeeGroupDashboard',
+    Object => $outer_group,
+);
+$user_obj->PrincipalObj->GrantRight(
+    Right => 'CreateGroupDashboard',
+    Object => $outer_group,
+);
+
+# create group dashboard for outer group
+$m->follow_link_ok({ id => 'home-dashboard_create'});
+$m->form_name('ModifyDashboard');
+$m->field("Name" => 'outer dashboard');
+$m->field("Privacy" => "RT::Group-" . $outer_group->Id);
+$m->click_button(value => 'Create');
+$m->content_contains("Saved dashboard outer dashboard");
+
+# check if user can see outer dashboard
+$m->get_ok("/Dashboards/index.html");
+$m->content_contains("outer dashboard", "The dashboards list includes outer dashboard");
+$m->get_ok("/Prefs/DashboardsInMenu.html");
+$m->content_contains("outer dashboard", "The dashboards menu includes outer dashboard");
+
+# remove user from outer group
+($ok, $msg) = $outer_group->DeleteMember($currentuser->PrincipalId);
+ok($ok, "removed user as a member of outer: $msg");
+
+# confirm that user can still see outer dashboard
+## this test should fail due to bug in group dashboard rights and pass when bug has been fixed
+$m->get_ok("/Dashboards/index.html");
+$m->content_contains("outer dashboard", "Non-group member granted rights' dashboards list includes outer dashboard");
+$m->get_ok("/Prefs/DashboardsInMenu.html");
+$m->content_contains("outer dashboard", "The dashboards menu includes outer dashboard");
+
+done_testing();

-----------------------------------------------------------------------


More information about the rt-commit mailing list