CreateGroupAndAddMembers: Difference between revisions
Jump to navigation
Jump to search
m (2 revisions imported) |
(No difference)
|
Latest revision as of 15:03, 6 April 2016
I have user that need to create RT groups and manage the members of those groups. By giving them AdminGroup right globally they can created groups. But to manage group membership they need AdminGroupMember globally, which is bad security because they could add themselves to groups with more rights. This overlay checks when a group is created and if the person who creates the group is a member of a Magic group, the Magic group is granted SeeGroup, AdminGroup (redundant but explicit), and AdminGroupMembership. Season to taste. -Todd
package RT::Group; use strict; no warnings qw(redefine); sub _GrantRightOnCreate { my $self = shift; my $principal = $self->CurrentUser->PrincipalObj; my @admin_groups = qw( Magic ); GROUPS: foreach my $group_name ( @admin_groups ) { my $group = RT::Group->new( $RT::SystemUser ); my ($rv, $msg) = $group->LoadUserDefinedGroup( $group_name ); return unless $rv; if ( $group->HasMemberRecursively( $principal ) ) { # Give rights to group my $group_principal = $group->PrincipalObj(); $group_principal->GrantRight( Right => 'SeeGroup', Object => $self ); $group_principal->GrantRight( Right => 'AdminGroup', Object => $self ); $group_principal->GrantRight( Right => 'AdminGroupMembership', Object => $self ); last GROUPS; } } } my $Orig_CreateUserDefinedGroup = \&CreateUserDefinedGroup; *CreateUserDefinedGroup = sub { my @result = $Orig_CreateUserDefinedGroup->(@_); if ($result[0]) { $_[0]->_GrantRightOnCreate(); } return @result; }; 1;