[rt-devel] limit queues by right ModifyTicket also for SuperUser

Christian Loos cloos at netcologne.de
Tue Jul 14 10:12:26 EDT 2015 

Am 19.05.2015 um 17:35 schrieb Shawn Moore:
> The first place to check is the code that supports the admin UI for editing a user’s rights. Since SuperUser doesn’t automatically check every checkbox, there must be code that looks at the rights more closely than ->HasRight() to decide what to display. And sure enough there is:
> 
> 
> share/html/Admin/Elements/EditRightsCategoryTabs:
> 
> # Find all the current rights for this principal
> my %current_rights;
> if ($Principal) {
>     my $acls = RT::ACL->new($session{'CurrentUser'});
>     $acls->LimitToObject( $Context );
>     $acls->LimitToPrincipal( Id => $Principal->PrincipalId );
> 
>     while ( my $ace = $acls->Next ) {
>         my $right = $ace->RightName;
>         $current_rights{$right} = 1;
>     }
> }
> 
> 
> This iterates over all the rights granted only to the specific principal, so it does not handle rights granted by group membership, either directly, or recursively. You can use the cached group members table (RT::CachedGroupMembers) to iterate over a user’s recursive group memberships to limit the RT::ACL search down. And of course you can limit the ACL you care about to just ModifyTicket instead of iterating over all of those.
> 
> It’s probably about twenty lines of code. I hope there aren’t too many corner cases… like what if the user has ModifyTicket only due to being an AdminCc? Also I’m not sure how slow it’ll be for your system: rights is one place RT does some careful caching. Please let us know how it goes!

I actually found the IncludeGroupMembership option for LimitToPrincipal
and my queue_filter looks like this:

my $queue = shift;
if ($session{CurrentUser}->HasRight(Right => 'SuperUser', Object =>
RT->System)) {
    my $acls = RT::ACL->new($session{CurrentUser});
    $acls->LimitToObject($queue);
    $acls->Limit(FIELD => 'RightName', VALUE => 'ModifyTicket');
    $acls->LimitToPrincipal(
        Id                     => $session{CurrentUser}->PrincipalId,
        IncludeGroupMembership => 1,
    );
    return $acls->Count;
} else {
    return $queue->CurrentUserHasRight('ModifyTicket');
}


Thanks for the hint.

Chris

More information about the rt-devel mailing list