[Rt-commit] rt 06/10: Silently ignore saved searches current user doesn't have rights to view

[sunnavy]

This is an automated email from the git hooks/post-receive script.

sunnavy pushed a commit to branch 5.0/use-dashboard-for-homepage-select-ui
in repository rt.

commit e0f57d6c3b7589af5727dc62a2f7b17c4694fe32
Author: sunnavy <sunnavy at bestpractical.com>
AuthorDate: Fri May 28 23:24:44 2021 +0800

    Silently ignore saved searches current user doesn't have rights to view
    
    This could be a useful feature that for a dashboard used by multiple
    users, some searches in the dashboard are only shown to ones with proper
    rights. In that case, showing error message could confuse people.
    
    Previously the main rights check is done implicitly via:
    
        ref( $SearchArg = $search->Content ) eq 'HASH'
    
    Here we switch to CurrentUserHasRight('display') to make the logic a bit
    more obvious.
---
 share/html/Elements/ShowSearch | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/share/html/Elements/ShowSearch b/share/html/Elements/ShowSearch
index d647a1c82f..95eca046e2 100644
--- a/share/html/Elements/ShowSearch
+++ b/share/html/Elements/ShowSearch
@@ -68,13 +68,27 @@ my $class = 'RT::Tickets';
 
 if ($SavedSearch) {
     my ( $container_object, $search_id ) = _parse_saved_search($SavedSearch);
-    unless ( $container_object ) {
-        $m->out(loc("Either you have no rights to view saved search [_1] or identifier is incorrect", $m->interp->apply_escapes($SavedSearch, 'h')));
-        return;
-    }
     $search = RT::Attribute->new( $session{'CurrentUser'} );
-    $search->Load($search_id);
-    unless ( $search->Id && ref( $SearchArg = $search->Content ) eq 'HASH' ) {
+    $search->Load($search_id) if $search_id;
+
+    if ( $search->Id ) {
+
+        # $container_object is undef if it's another user's personal saved
+        # search. We need to explicitly exclude this case as
+        # CurrentUserHasRight doesn't handle that.
+        if ( $container_object && $search->CurrentUserHasRight('display') ) {
+            $SearchArg = $search->Content;
+        }
+        else {
+            RT->Logger->debug( "User "
+                    . $session{CurrentUser}->Name
+                    . " does not have rights to view saved search: "
+                    . $search->__Value('Description')
+                    . "($SavedSearch)" );
+            return;
+        }
+    }
+    else {
         $m->out(loc("Saved search [_1] not found", $m->interp->apply_escapes($SavedSearch, 'h'))) unless $IgnoreMissing;
         return;
     }

-- 
To stop receiving notification emails like this one, please contact
sysadmin at bestpractical.com.