[rt-devel] Override global ACL

plasma plasmaball at pchome.com.tw
Sat Feb 1 13:01:06 EST 2003


Hi all,

Maybe some of you would like to override global ACLs in a queue.
Attached is the patch against .64.

Please note the new field 'OverrideGlobalACL' field in Queues table in
database.  There will be a new field labeled 'Override global rights'
in the page of queue basics, as well as those of group rights and user
rights.  If it is checked, global ACLs will be ignored in that queue
(unless you're THE root, of course).  Any rights you want to grant to
users must be set up.

Ya, it's better if a specific ACL could be revoked, but I don't know
how to implement it.  This is the quickest way I can think of.

Hope it helps.


plasma
-------------- next part --------------
diff -ruN rt-2-1-64.orig/etc/schema.mysql rt-2-1-64.work/etc/schema.mysql
--- rt-2-1-64.orig/etc/schema.mysql	Sun Feb  2 00:23:34 2003
+++ rt-2-1-64.work/etc/schema.mysql	Sun Feb  2 00:34:34 2003
@@ -36,6 +36,7 @@
   LastUpdatedBy integer NOT NULL DEFAULT 0  ,
   LastUpdated DATETIME NULL  ,
   Disabled int2 NOT NULL DEFAULT 0 ,
+  OverrideGlobalACL int2 NOT NULL DEFAULT 0 ,
   PRIMARY KEY (id)
 ) TYPE=InnoDB;
 CREATE UNIQUE INDEX Queues1 ON Queues (Name) ;
diff -ruN rt-2-1-64.orig/html/Admin/Elements/CheckOverrideGlobalACL rt-2-1-64.work/html/Admin/Elements/CheckOverrideGlobalACL
--- rt-2-1-64.orig/html/Admin/Elements/CheckOverrideGlobalACL	Thu Jan  1 08:00:00 1970
+++ rt-2-1-64.work/html/Admin/Elements/CheckOverrideGlobalACL	Sun Feb  2 00:34:34 2003
@@ -0,0 +1,46 @@
+%# BEGIN LICENSE BLOCK
+%# 
+%# Copyright (c) 1996-2002 Jesse Vincent <jesse at bestpractical.com>
+%# 
+%# (Except where explictly superceded by other copyright notices)
+%# 
+%# This work is made available to you under the terms of Version 2 of
+%# the GNU General Public License. A copy of that license should have
+%# been provided with this software, but in any event can be snarfed
+%# from www.gnu.org
+%# 
+%# This work is distributed in the hope that it will be useful, but
+%# WITHOUT ANY WARRANTY; without even the implied warranty of
+%# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+%# General Public License for more details.
+%# 
+%# 
+%# Unless otherwise specified, all modifications, corrections or
+%# extensions to this work which alter its source code become the
+%# property of Best Practical Solutions, LLC when submitted for
+%# inclusion in the work.
+%# 
+%# 
+%# END LICENSE BLOCK
+<INPUT TYPE=CHECKBOX NAME="SetOverrideGlobalACL" VALUE="1" <%$OverrideGlobalACL%>> <&|/l&>Override global rights</&><BR>
+
+<%INIT>
+my $OverrideGlobalACL = "";
+
+if ( defined($SetOverrideGlobalACL) &&
+     $SetOverrideGlobalACL xor $QueueObj->OverrideGlobalACL() ) {
+    my ($code, $msg) =
+       $QueueObj->SetOverrideGlobalACL( $SetOverrideGlobalACL ? 1 : 0 );
+    push @{$results}, loc('OverrideGlobalACL status [_1]', loc_fuzzy($msg));
+}
+
+if ($QueueObj->OverrideGlobalACL()) {
+    $OverrideGlobalACL = "CHECKED";
+}
+</%INIT>
+
+<%ARGS>
+$results => undef
+$QueueObj => undef
+$SetOverrideGlobalACL => undef
+</%ARGS>
diff -ruN rt-2-1-64.orig/html/Admin/Queues/GroupRights.html rt-2-1-64.work/html/Admin/Queues/GroupRights.html
--- rt-2-1-64.orig/html/Admin/Queues/GroupRights.html	Sun Feb  2 00:23:35 2003
+++ rt-2-1-64.work/html/Admin/Queues/GroupRights.html	Sun Feb  2 00:34:34 2003
@@ -35,6 +35,13 @@
       
 <h1><&|/l&>System groups</&></h1>
 <TABLE>
+<TR>
+<TD COLSPAN=2>
+<& /Admin/Elements/CheckOverrideGlobalACL, QueueObj => $QueueObj,
+   results => \@results,
+   SetOverrideGlobalACL => $SetOverrideGlobalACL &>
+</TD>
+</TR>        
 % $Groups = RT::Groups->new($session{'CurrentUser'});
 % $Groups->LimitToSystemInternalGroups();
 %	while (my $Group = $Groups->Next()) {
@@ -107,4 +114,5 @@
 
 <%ARGS>
 $id => undef
+$SetOverrideGlobalACL => undef
 </%ARGS>
diff -ruN rt-2-1-64.orig/html/Admin/Queues/Modify.html rt-2-1-64.work/html/Admin/Queues/Modify.html
--- rt-2-1-64.orig/html/Admin/Queues/Modify.html	Sun Feb  2 00:23:35 2003
+++ rt-2-1-64.work/html/Admin/Queues/Modify.html	Sun Feb  2 00:34:34 2003
@@ -80,9 +80,14 @@
 <TR>
 <TD>
 </TD>
-<TD COLSPAN=4><INPUT TYPE=HIDDEN NAME="SetEnabled" VALUE="1">
+<TD COLSPAN=2><INPUT TYPE=HIDDEN NAME="SetEnabled" VALUE="1">
 <INPUT TYPE=CHECKBOX NAME="Enabled" VALUE="1" <%$EnabledChecked%>> <&|/l&>Enabled (Unchecking this box disables this queue)</&><BR>
 </TD>
+<TD COLSPAN=2>
+<& /Admin/Elements/CheckOverrideGlobalACL, QueueObj => $QueueObj,
+   results => \@results,
+   SetOverrideGlobalACL => $SetOverrideGlobalACL &>
+</TD>
 </TR>
 
 </TABLE>
@@ -158,4 +163,5 @@
 $DefaultDueIn => undef
 $SetEnabled => undef
 $Enabled => undef
+$SetOverrideGlobalACL => undef
 </%ARGS>
diff -ruN rt-2-1-64.orig/html/Admin/Queues/UserRights.html rt-2-1-64.work/html/Admin/Queues/UserRights.html
--- rt-2-1-64.orig/html/Admin/Queues/UserRights.html	Sun Feb  2 00:23:35 2003
+++ rt-2-1-64.work/html/Admin/Queues/UserRights.html	Sun Feb  2 00:34:34 2003
@@ -34,7 +34,13 @@
       
       
 <TABLE>
-        
+<TR>
+<TD COLSPAN=2>
+<& /Admin/Elements/CheckOverrideGlobalACL, QueueObj => $QueueObj,
+   results => \@results,
+   SetOverrideGlobalACL => $SetOverrideGlobalACL &>
+</TD>
+</TR>        
 %	while (my $Member = $Users->Next()) {
 % my $UserObj = $Member->MemberObj->Object();
 % my $group = RT::Group->new($session{'CurrentUser'});
@@ -88,4 +94,5 @@
 $UserString => undef
 $UserOp => undef
 $UserField => undef
+$SetOverrideGlobalACL => undef
 </%ARGS>
diff -ruN rt-2-1-64.orig/lib/RT/Principal_Overlay.pm rt-2-1-64.work/lib/RT/Principal_Overlay.pm
--- rt-2-1-64.orig/lib/RT/Principal_Overlay.pm	Sun Feb  2 00:23:34 2003
+++ rt-2-1-64.work/lib/RT/Principal_Overlay.pm	Sun Feb  2 00:34:33 2003
@@ -291,7 +291,7 @@
     }
     # }}}
 
-    #  {{{ if we've cached a negative result for this query return undef
+    # {{{ if we've cached a negative result for this query return undef
     elsif (    ( defined $self->_ACLCache->{"$hashkey"} )
             && ( $self->_ACLCache->{"$hashkey"}{'val'} == -1 )
             && ( defined $self->_ACLCache->{"$hashkey"}{'set'} )
@@ -307,7 +307,7 @@
 
 
 
-    #  {{{ Out of date docs
+    # {{{ Out of date docs
     
     #   We want to grant the right if:
 
@@ -348,12 +348,19 @@
         " AND Groups.Type = ACL.PrincipalType AND Groups.Id = Principals.ObjectId AND Principals.PrincipalType = 'Group') ";
 
    } 
-    # {{{ If an object is defined, we want to look at rights for that object
+    # {{{ Construct Right Match
+
+    # If an object is defined, we want to look at rights for that object
    
     my @look_at_objects;
-    push (@look_at_objects, "ACL.ObjectType = 'RT::System'");
-
 
+    my $IsOverrideACL =
+        ( ( (ref($args{Object}) eq 'RT::Ticket') &&
+            $args{Object}->QueueObj->__Value('OverrideGlobalACL')) ||
+          ( (ref($args{Object}) eq 'RT::Queue') &&
+            $args{Object}->__Value('OverrideGlobalACL')) );
+    push (@look_at_objects, "ACL.ObjectType = 'RT::System'")
+        unless $IsOverrideACL;
 
     foreach my $obj (@{$args{'EquivObjects'}}) {
             next unless (UNIVERSAL::can($obj, 'id'));
@@ -362,16 +369,33 @@
             push @look_at_objects, "(ACL.ObjectType = '$type' AND ACL.ObjectId = '$id')"; 
             }
 
+    my $MatchRight;
+    if ($IsOverrideACL) {               # Override ACL in a queue?
+        $MatchRight = 
+            # Superuser can do everything
+            "( (ACL.RightName = 'SuperUser' AND ACL.ObjectType = 'RT::System' ) ".
+            # Or only those rights granted in queue
+            "OR (ACL.RightName = '$right' AND (".join('OR', @look_at_objects).")) )";
+    } else {                            # Not override ACL in a queue
+        $MatchRight = 
+            # Only find superuser or rights with the name $right
+            "(ACL.RightName = 'SuperUser' OR  ACL.RightName = '$right') " .
+
+            # Make sure the rights apply to the entire system or to
+            # the object in question
+            "AND ( ".join(' OR ', @look_at_objects).") ";
+    }
      
     # }}}
 
-    #  {{{ Build that honkin-big SQL query
+    # {{{ Build that honkin-big SQL query
 
     
 
     my $query = "SELECT COUNT(ACL.id) from ACL, Groups, Principals, CachedGroupMembers WHERE  ".
-    # Only find superuser or rights with the name $right
-   "(ACL.RightName = 'SuperUser' OR  ACL.RightName = '$right') ".
+
+   $MatchRight .
+
    # Never find disabled groups.
    "AND Principals.Disabled = 0 "
     . "AND CachedGroupMembers.Disabled = 0  ".
@@ -382,9 +406,6 @@
     # also, check to see if the right is being granted _directly_ to this principal,
     #  as is the case when we want to look up group rights
     "AND  Principals.Id = CachedGroupMembers.GroupId AND CachedGroupMembers.MemberId = '" . $self->Id . "' ".
-
-    # Make sure the rights apply to the entire system or to the object in question
-    "AND ( ".join(' OR ', @look_at_objects).") ".
 
     # limit the result set to groups of types ACLEquivalence (user)  UserDefined, SystemInternal and Personal
     "AND ( (  ACL.PrincipalId = Principals.Id and Principals.ObjectId = Groups.Id AND ACL.PrincipalType = 'Group' AND ".
diff -ruN rt-2-1-64.orig/lib/RT/Queue.pm rt-2-1-64.work/lib/RT/Queue.pm
--- rt-2-1-64.orig/lib/RT/Queue.pm	Sun Feb  2 00:23:34 2003
+++ rt-2-1-64.work/lib/RT/Queue.pm	Sun Feb  2 00:34:33 2003
@@ -91,6 +91,7 @@
                 FinalPriority => '0',
                 DefaultDueIn => '0',
                 Disabled => '0',
+                OverrideGlobalACL => '0',
 
 		  @_);
     $self->SUPER::Create(
@@ -102,6 +103,7 @@
                          FinalPriority => $args{'FinalPriority'},
                          DefaultDueIn => $args{'DefaultDueIn'},
                          Disabled => $args{'Disabled'},
+                         OverrideGlobalACL => $args{'OverrideGlobalACL'},
 );
 
 }
@@ -326,6 +328,8 @@
         LastUpdated => 
 		{read => 1, auto => 1, type => 'datetime', default => ''},
         Disabled => 
+		{read => 1, write => 1, type => 'smallint(6)', default => '0'},
+        OverrideGlobalACL => 
 		{read => 1, write => 1, type => 'smallint(6)', default => '0'},
 
  }


More information about the Rt-devel mailing list