[Rt-commit] rt branch, 4.4/role-lifecycle-right-check, created. rt-4.4.3-24-gb770ab1c7

Wed Aug 1 17:02:45 EDT 2018

The branch, 4.4/role-lifecycle-right-check has been created
        at  b770ab1c7acced4672d97923937544eea9815f72 (commit)

- Log -----------------------------------------------------------------
commit 9a56ca7fe297248e95643537b60e85a2220c68b2
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Wed Aug 1 16:42:09 2018 -0400

    Test lifecycle rights at the ticket level

diff --git a/t/lifecycles/basics.t b/t/lifecycles/basics.t
index f53f077cc..89aa91464 100644
--- a/t/lifecycles/basics.t
+++ b/t/lifecycles/basics.t
@@ -242,4 +242,38 @@ diag "'!inactive -> inactive' actions are shown even if ticket has unresolved de
     );
 }
 
+diag "Role rights are checked on for lifecycles";
+{
+
+    my $user_a = RT::Test->load_or_create_user(
+        Name => 'user_a', Password => 'password',
+    );
+    ok $user_a && $user_a->id, 'loaded or created user';
+
+    RT::Test->set_rights(
+        { Principal => 'AdminCc',  Right => [qw(SeeQueue)] },
+        { Principal => 'Everyone',  Right => [qw(WatchAsAdminCc)] },
+    );
+
+    my $ticket = RT::Ticket->new(RT->SystemUser);
+    my ($ret, $msg) = $ticket->Create(Queue => 'General');
+    ok $ticket->id, 'Created new ticket';
+    my $id = $ticket->id;
+
+    $ticket = RT::Ticket->new($user_a);
+    ($ret, $msg) = $ticket->Load($id);
+    ok $ticket->id, 'Loaded ticket in user context';
+
+    is $ticket->QueueObj->Lifecycle($ticket), undef;
+
+    ($ret, $msg) = $ticket->AddWatcher(
+        Type        => 'AdminCc',
+        PrincipalId => $user_a->PrincipalId,
+    );
+    ok $ret, 'user_a is now AdminCc';
+
+    is $ticket->QueueObj->Lifecycle($ticket), 'default', 'Successfully loaded lifecycle';
+
+}
+
 done_testing;

commit b770ab1c7acced4672d97923937544eea9815f72
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Wed Aug 1 14:53:32 2018 -0400

    Add method for lifecycle rights check
    
    If the context object is not checked for 'SeeQueue' then users who have
    their rights from a role may not be able to see the queue lifecycle.
    This will result in users not being able to set statuses that they
    normally should be able to.

diff --git a/lib/RT/Queue.pm b/lib/RT/Queue.pm
index b9eaec302..a192e4eec 100644
--- a/lib/RT/Queue.pm
+++ b/lib/RT/Queue.pm
@@ -784,7 +784,19 @@ sub _Set {
     return ( $ret, $msg );
 }
 
+sub Lifecycle {
+    my $self    = shift;
+    my $context = shift;
+
+    # Check context level rights if we do not have Queue level rights
+    if ( $context && ! $self->CurrentUserHasRight('SeeQueue') ) {
+        return (undef) unless $context->CurrentUserHasRight('SeeQueue');
+    } elsif ( ! $self->CurrentUserHasRight('SeeQueue') ) {
+        return (undef);
+    }
 
+    return ( $self->__Value('Lifecycle') );
+}
 
 sub _Value {
     my $self = shift;
@@ -889,9 +901,10 @@ Returns (1, 'Status message') on success and (0, 'Error Message') on failure.
 =cut
 
 
-=head2 Lifecycle
+=head2 Lifecycle CONTEXT
 
-Returns the current value of Lifecycle. 
+Returns the current value of Lifecycle, provide a context object
+to check at a level other than the Queue level.
 (In the database, Lifecycle is stored as varchar(32).)
 
 
diff --git a/lib/RT/Record/Role/Lifecycle.pm b/lib/RT/Record/Role/Lifecycle.pm
index 6ca07a6ff..3fa5c9acc 100644
--- a/lib/RT/Record/Role/Lifecycle.pm
+++ b/lib/RT/Record/Role/Lifecycle.pm
@@ -93,6 +93,7 @@ of all lifecycles of the appropriate type.
 
 sub LifecycleObj {
     my $self = shift;
+    my $context = shift;
     my $type = $self->LifecycleType;
     my $fallback = $self->_Accessible( Lifecycle => "default" );
 
@@ -100,7 +101,7 @@ sub LifecycleObj {
         return RT::Lifecycle->Load( Type => $type );
     }
 
-    my $name = $self->Lifecycle || $fallback;
+    my $name = $self->Lifecycle($context) || $fallback;
     my $res  = RT::Lifecycle->Load( Name => $name, Type => $type );
     unless ( $res ) {
         RT->Logger->error(
diff --git a/lib/RT/Record/Role/Status.pm b/lib/RT/Record/Role/Status.pm
index 7555b886d..3ee90c2f1 100644
--- a/lib/RT/Record/Role/Status.pm
+++ b/lib/RT/Record/Role/Status.pm
@@ -116,7 +116,7 @@ of all lifecycles of the appropriate type.
 sub LifecycleObj {
     my $self = shift;
     my $obj  = $self->LifecycleColumn . "Obj";
-    return $self->$obj->LifecycleObj;
+    return $self->$obj->LifecycleObj($self);
 }
 
 =head2 Lifecycle
diff --git a/t/lifecycles/basics.t b/t/lifecycles/basics.t
index 89aa91464..be3a8579e 100644
--- a/t/lifecycles/basics.t
+++ b/t/lifecycles/basics.t
@@ -242,7 +242,7 @@ diag "'!inactive -> inactive' actions are shown even if ticket has unresolved de
     );
 }
 
-diag "Role rights are checked on for lifecycles";
+diag "Role rights are checked for lifecycles at ticket level";
 {
 
     my $user_a = RT::Test->load_or_create_user(

-----------------------------------------------------------------------
