From Request Tracker Wiki
Jump to navigation Jump to search

I have user that need to create RT groups and manage the members of those groups. By giving them AdminGroup right globally they can created groups. But to manage group membership they need AdminGroupMember globally, which is bad security because they could add themselves to groups with more rights. This overlay checks when a group is created and if the person who creates the group is a member of a Magic group, the Magic group is granted SeeGroup, AdminGroup (redundant but explicit), and AdminGroupMembership. Season to taste. -Todd

package RT::Group; use strict; no warnings qw(redefine); sub _GrantRightOnCreate { <code><pre> my $self = shift; my $principal = $self-&gt;CurrentUser-&gt;PrincipalObj; my @admin_groups = qw( Magic ); </pre></code> GROUPS: foreach my $group_name ( @admin_groups ) { <code><pre> my $group = RT::Group-&gt;new( $RT::SystemUser ); my ($rv, $msg) = $group-&gt;LoadUserDefinedGroup( $group_name ); return unless $rv; if ( $group-&gt;HasMemberRecursively( $principal ) ) { # Give rights to group my $group_principal = $group-&gt;PrincipalObj(); $group_principal-&gt;GrantRight( Right =&gt; 'SeeGroup', Object =&gt; $self ); $group_principal-&gt;GrantRight( Right =&gt; 'AdminGroup', Object =&gt; $self ); $group_principal-&gt;GrantRight( Right =&gt; 'AdminGroupMembership', Object =&gt; $self ); last GROUPS; } } </pre></code> } my $Orig_CreateUserDefinedGroup = \&CreateUserDefinedGroup; *CreateUserDefinedGroup = sub { <code><pre> my @result = $Orig_CreateUserDefinedGroup-&gt;(@_); if ($result[0]) { $_[0]-&gt;_GrantRightOnCreate(); } return @result; </pre></code> }; 1;