[Rt-devel] Why are Groups cachedmembers of themselves?
Joby Walker
joby at u.washington.edu
Mon Oct 30 20:13:00 EST 2006
Jesse Vincent wrote:
>> So why is this necessary? Is it for ACL checks on User Defined groups?
>
> It's for ~all group ACL and groupmember checks.
>
Ok, it took me a while to see where the cachedgroupmember record is
necessary: When you make a check to see if a group has the ACL to do X
(exactly what you said).
The impact of adding hundreds of thousands of additional records seems
like a very high cost to be able to do these group queries just like
user permission queries.
I grabbed a fresh rt-3.4.4 (what we currently use) and Modified the
following:
RT::Group_Overlay->_Create()
comment out line 511,512 where the group is added as a cached member of
itself.
RT::Principal_Overlay->HasRight()
Add on line 401 (just before the "Build that honkin-big SQL query") a
check that if the Principal is a Group to determine if that group has a
specific ACL.
if ($self->IsGroup) {
my $qb = 'SELECT ACL.id from ACL, Principals WHERE'
." ( ACL.RightName = 'SuperUser' OR ACL.RightName = '$right' ) "
."AND Principals.Disabled = 0 "
."AND Principals.id = " . $self->Id . " "
."AND Principals.id = ACL.principalid "
."AND ( " . join( ' OR ', @look_at_objects ). ") ";
$self->_Handle->ApplyLimits( \$qb, 1 );
my $hitcount = $self->_Handle->FetchResult($qb);
if ($hitcount) {
return (1);
}
}
With these two changes all of the regression tests pass.
Joby Walker
C&C SSG, University of Washington
More information about the Rt-devel
mailing list