[Rt-commit] rt 06/12: Silently ignore saved searches current user doesn't have rights to view
sunnavy
sunnavy at bestpractical.com
Wed Jul 14 14:46:47 EDT 2021
This is an automated email from the git hooks/post-receive script.
sunnavy pushed a commit to branch 5.0/use-dashboard-for-homepage-select-ui
in repository rt.
commit 3084716eb70b7b6067eb5ec688c560c28639a017
Author: sunnavy <sunnavy at bestpractical.com>
AuthorDate: Fri May 28 23:24:44 2021 +0800
Silently ignore saved searches current user doesn't have rights to view
This could be a useful feature that for a dashboard used by multiple
users, some searches in the dashboard are only shown to ones with proper
rights. In that case, showing error message could confuse people.
Previously the main rights check is done implicitly via:
ref( $SearchArg = $search->Content ) eq 'HASH'
Here we switch to CurrentUserHasRight('display') to make the logic a bit
more obvious.
---
share/html/Elements/ShowSearch | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/share/html/Elements/ShowSearch b/share/html/Elements/ShowSearch
index d647a1c82f..95eca046e2 100644
--- a/share/html/Elements/ShowSearch
+++ b/share/html/Elements/ShowSearch
@@ -68,13 +68,27 @@ my $class = 'RT::Tickets';
if ($SavedSearch) {
my ( $container_object, $search_id ) = _parse_saved_search($SavedSearch);
- unless ( $container_object ) {
- $m->out(loc("Either you have no rights to view saved search [_1] or identifier is incorrect", $m->interp->apply_escapes($SavedSearch, 'h')));
- return;
- }
$search = RT::Attribute->new( $session{'CurrentUser'} );
- $search->Load($search_id);
- unless ( $search->Id && ref( $SearchArg = $search->Content ) eq 'HASH' ) {
+ $search->Load($search_id) if $search_id;
+
+ if ( $search->Id ) {
+
+ # $container_object is undef if it's another user's personal saved
+ # search. We need to explicitly exclude this case as
+ # CurrentUserHasRight doesn't handle that.
+ if ( $container_object && $search->CurrentUserHasRight('display') ) {
+ $SearchArg = $search->Content;
+ }
+ else {
+ RT->Logger->debug( "User "
+ . $session{CurrentUser}->Name
+ . " does not have rights to view saved search: "
+ . $search->__Value('Description')
+ . "($SavedSearch)" );
+ return;
+ }
+ }
+ else {
$m->out(loc("Saved search [_1] not found", $m->interp->apply_escapes($SavedSearch, 'h'))) unless $IgnoreMissing;
return;
}
--
To stop receiving notification emails like this one, please contact
sysadmin at bestpractical.com.
More information about the rt-commit
mailing list