[Rt-commit] rt branch, 4.4/edit-saved-searches-right, created. rt-4.4.4-14-g0aa64e660
Jim Brandt
jbrandt at bestpractical.com
Fri Apr 5 14:46:45 EDT 2019
The branch, 4.4/edit-saved-searches-right has been created
at 0aa64e660780000cc5f9491979c31cc88a59113a (commit)
- Log -----------------------------------------------------------------
commit 0d6af9eeed71f7b316343a6cf3a2e0fe6418a0fa
Author: Jim Brandt <jbrandt at bestpractical.com>
Date: Fri Apr 5 13:39:57 2019 -0400
Add ObjectsForCreating method
This method is mentioned as a wrapper in the comment for the
internal _PrivacyObjects method, but didn't previously exist. Add it
to provide a wrapper that performs rights checks consistent
with creating saved searches.
diff --git a/lib/RT/SavedSearch.pm b/lib/RT/SavedSearch.pm
index 79474ea56..c0fcfc4ff 100644
--- a/lib/RT/SavedSearch.pm
+++ b/lib/RT/SavedSearch.pm
@@ -190,6 +190,38 @@ sub ObjectsForLoading {
return grep { $self->CurrentUserCanSee($_) } $self->_PrivacyObjects( "SavedSearch" );
}
+=head2 ObjectsForCreating
+
+In the context of the current user, load a list of objects that could have searches
+saved under, including the current user and groups. This method considers both rights
+and group membership when creating the list of objects for saved searches.
+
+=cut
+
+sub ObjectsForCreating {
+ my $self = shift;
+ my @objects = $self->_PrivacyObjects( );
+ my @create_objects;
+
+ foreach my $object ( @objects ) {
+ # Users need CreateSavedSearch to save personal searches
+ if ( ref $object
+ && ref $object eq 'RT::User'
+ && $self->CurrentUser->HasRight( Right => 'CreateSavedSearch', Object => $object ) ) {
+ push @create_objects, $object;
+ }
+
+ # On groups, the EditSavedSearches right manages create and edit
+ if ( ref $object
+ && ref $object eq 'RT::Group'
+ && $self->CurrentUser->HasRight( Right => 'EditSavedSearches', Object => $object ) ) {
+ push @create_objects, $object;
+ }
+ }
+
+ return @create_objects;
+}
+
RT::Base->_ImportOverlays();
1;
commit 73b081dbf8e5042233c9e1008b5921fb753afd55
Author: Jim Brandt <jbrandt at bestpractical.com>
Date: Fri Apr 5 14:08:12 2019 -0400
Add tests for ObjectsForCreating
diff --git a/t/api/savedsearch.t b/t/api/savedsearch.t
index 2e924bf7b..9693fcc9f 100644
--- a/t/api/savedsearch.t
+++ b/t/api/savedsearch.t
@@ -2,7 +2,7 @@ use strict;
use warnings;
BEGIN { $ENV{'LANG'} = 'C' }
-use RT::Test tests => 27;
+use RT::Test tests => undef;
use_ok('RT::SavedSearch');
use_ok('RT::SavedSearches');
@@ -25,11 +25,22 @@ $searchuser->PrincipalObj->GrantRight(Right => 'ModifySelf');
my $ingroup = RT::Group->new(RT->SystemUser);
$ingroup->CreateUserDefinedGroup(Name => 'searchgroup1'.$$);
$ingroup->AddMember($searchuser->Id);
+
+diag('Check saved search rights');
+my @create_objects = RT::SavedSearch->new($searchuser)->ObjectsForCreating;
+
+is( scalar @create_objects, 1, 'Got one Privacy option for saving searches');
+is( $create_objects[0]->Id, $searchuser->Id, 'Privacy option is personal saved search');
+
$searchuser->PrincipalObj->GrantRight(Right => 'EditSavedSearches',
Object => $ingroup);
$searchuser->PrincipalObj->GrantRight(Right => 'ShowSavedSearches',
Object => $ingroup);
+ at create_objects = RT::SavedSearch->new($searchuser)->ObjectsForCreating;
+is( scalar @create_objects, 2, 'Got two Privacy options for saving searches');
+is( $create_objects[1]->Id, $ingroup->Id, 'Second Privacy option is group saved search');
+
# This is the group whose searches searchuser should not be able to see.
my $outgroup = RT::Group->new(RT->SystemUser);
$outgroup->CreateUserDefinedGroup(Name => 'searchgroup2'.$$);
@@ -179,3 +190,4 @@ ok($ret, "Deleted genericsearch");
$allsearches->LimitToPrivacy('RT::User-'.$curruser->Id);
is($allsearches->Count, 1, "Found all searchuser's searches after deletion");
+done_testing();
commit 272dd610b9ab1bc701d43fe66bb44095639bbf96
Author: Jim Brandt <jbrandt at bestpractical.com>
Date: Fri Apr 5 14:10:30 2019 -0400
For saved searches, split objects lists for creating and loading
Different rights manage creating/editing saved searches and
loading them, so split loading the list of valid objects into
two different data structures.
Also use the corresponding wrapper methods to load the objects
rather than calling the _PrivacyObjects method directly.
This change fixes a bug in the Privacy menu. Previously it
loaded all groups the user is a member of without checking the
EditSavedSearches right. If the user then tried to save a search
for a group without that right, they would receive an error and
the search would not be saved. The dropdown now checks for this
right and only shows group options that the user can save to based
on rights.
diff --git a/share/html/Search/Elements/EditSearches b/share/html/Search/Elements/EditSearches
index e7de62bd0..6e7220eb1 100644
--- a/share/html/Search/Elements/EditSearches
+++ b/share/html/Search/Elements/EditSearches
@@ -51,7 +51,7 @@
%# Hide all the save functionality if the user shouldn't see it.
% if ( $can_modify ) {
<span class="label"><&|/l&>Privacy</&>:</span>
-<& SelectSearchObject, Name => 'SavedSearchOwner', Objects => \@Objects, Object => ( $Object && $Object->id ) ? $Object->Object : '' &>
+<& SelectSearchObject, Name => 'SavedSearchOwner', Objects => \@CreateObjects, Object => ( $Object && $Object->id ) ? $Object->Object : '' &>
<br />
<span class="label"><&|/l&>Description</&>:</span>
<input size="25" name="SavedSearchDescription" value="<% $Description || '' %>" />
@@ -76,7 +76,7 @@
<br />
<hr />
<span class="label"><&|/l&>Load saved search</&>:</span>
-<& SelectSearchesForObjects, Name => 'SavedSearchLoad', Objects => \@Objects, SearchType => $Type &>
+<& SelectSearchesForObjects, Name => 'SavedSearchLoad', Objects => \@LoadObjects, SearchType => $Type &>
<input type="submit" value="<% loc('Load') %>" id="SavedSearchLoadSubmit" name="SavedSearchLoadSubmit" class="button" />
</&>
@@ -93,8 +93,13 @@ my $can_modify = $session{'CurrentUser'}->HasRight(
);
use RT::SavedSearch;
-my @Objects = RT::SavedSearch->new($session{CurrentUser})->_PrivacyObjects;
-push @Objects, RT::System->new( $session{'CurrentUser'} )
+my @LoadObjects = RT::SavedSearch->new($session{CurrentUser})->ObjectsForLoading;
+push @LoadObjects, RT::System->new( $session{'CurrentUser'} )
+ if $session{'CurrentUser'}->HasRight( Object=> $RT::System,
+ Right => 'SuperUser' );
+
+my @CreateObjects = RT::SavedSearch->new($session{CurrentUser})->ObjectsForCreating;
+push @CreateObjects, RT::System->new( $session{'CurrentUser'} )
if $session{'CurrentUser'}->HasRight( Object=> $RT::System,
Right => 'SuperUser' );
commit 0aa64e660780000cc5f9491979c31cc88a59113a
Author: Jim Brandt <jbrandt at bestpractical.com>
Date: Fri Apr 5 14:46:33 2019 -0400
Note behavior change in UPGRADING doc
diff --git a/docs/UPGRADING-4.4 b/docs/UPGRADING-4.4
index 1fc0fe133..d2da81603 100644
--- a/docs/UPGRADING-4.4
+++ b/docs/UPGRADING-4.4
@@ -615,4 +615,22 @@ now contains the reference to the message content as the name implies.
=back
+=head1 UPGRADING FROM 4.4.4 AND EARLIER
+
+=over 4
+
+=item * Privacy Menu in Query Builder
+
+On the Query Builder, the Privacy menu loads groups you are a member of as potential
+places to save searches. However, it previously did not confirm the current user
+had the EditSavedSearches right, so you might try to save a search with a group
+and receive an error until that right was granted.
+
+This has been fixed, so now groups load only if you have rights to create the
+search via EditSavedSearches on the group or globally. This may change the groups
+that appear in the Privacy menu, but shouldn't change functionality since users
+without the correct rights were unable to create searches.
+
+=back
+
=cut
-----------------------------------------------------------------------
More information about the rt-commit
mailing list