[Rt-commit] rt 04/04: Allow SuperUser to load dashboard settings for other users

[Jim Brandt]

This is an automated email from the git hooks/post-receive script.

jbrandt pushed a commit to branch 5.0/use-dashboard-for-homepage-select-ui
in repository rt.

commit be699b0ce12e3ab7ce2cc1bcabb481cd5e625722
Author: Jim Brandt <jbrandt at bestpractical.com>
AuthorDate: Thu Jul 8 13:52:05 2021 -0400

    Allow SuperUser to load dashboard settings for other users
    
    SuperUsers can modify RT at a glance on the user admin
    page for individual users, so allow SuperUsers to load objects
    that belong to other users.
---
 lib/RT/SharedSetting.pm | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/RT/SharedSetting.pm b/lib/RT/SharedSetting.pm
index 5da07c21e2..38fff43664 100644
--- a/lib/RT/SharedSetting.pm
+++ b/lib/RT/SharedSetting.pm
@@ -425,7 +425,8 @@ sub _GetObject {
     # Do not allow the loading of a user object other than the current
     # user, or of a group object of which the current user is not a member.
 
-    if ($obj_type eq 'RT::User' && $object->Id != $self->CurrentUser->UserObj->Id) {
+    if ($obj_type eq 'RT::User' && $object->Id != $self->CurrentUser->UserObj->Id
+        && !$self->CurrentUser->HasRight( Object => $RT::System, Right => 'SuperUser' )) {
         $RT::Logger->debug("Permission denied for user other than self");
         return undef;
     }
@@ -446,6 +447,13 @@ sub _load_privacy_object {
     if ( $obj_type eq 'RT::User' ) {
         if ( $obj_id == $self->CurrentUser->Id ) {
             return $self->CurrentUser->UserObj;
+        }
+        elsif ( $self->CurrentUser->HasRight( Right => 'SuperUser', Object => RT->System ) ) {
+            # OK to load for SuperUser for context like user admin RT at a glance config
+            my $user_obj = RT::User->new( $self->CurrentUser );
+            my ($ret, $msg) = $user_obj->Load($obj_id);
+            RT->Logger->error("Unable to load user object id $obj_id: $msg") unless $ret;
+            return $user_obj;
         } else {
             $RT::Logger->warning("User #". $self->CurrentUser->Id ." tried to load container user #". $obj_id);
             return undef;

-- 
To stop receiving notification emails like this one, please contact
sysadmin at bestpractical.com.