Merge branch '4.4/system-saved-search-delete' into 4.4-trunk

bestpractical · Aug 1, 2023 · ac1ebf0 · ac1ebf0
2 parents ebcee45 + 2b4094d
commit ac1ebf0
Show file tree

Hide file tree

Showing 2 changed files with 77 additions and 2 deletions.
diff --git a/share/html/Search/Elements/EditSearches b/share/html/Search/Elements/EditSearches
@@ -61,7 +61,9 @@
 % if ( $Dirty ) {
 <input type="submit" class="button" name="SavedSearchRevert" value="<%loc('Revert')%>" />
 % }
+% if ( $Object && $Object->Id && $Object->CurrentUserHasRight('delete') ) {
 <input type="submit" class="button <% $Object && $Object->Id && $Object->DependedOnBy->Count ? 'confirm' : '' %>" name="SavedSearchDelete" value="<%loc('Delete')%>" />
+% }
 % if ( $AllowCopy ) {
 <input type="submit" class="button" name="SavedSearchCopy"   value="<%loc('Save as New')%>" />
 % }
@@ -114,6 +116,7 @@
     </div>
 % }
 <%INIT>
+
 return unless $session{'CurrentUser'}->HasRight(
     Right  => 'LoadSavedSearch',
     Object => $RT::System,
@@ -192,11 +195,23 @@ if ( $ARGS{'SavedSearchRevert'} ) {
     $ARGS{'SavedSearchLoad'} = $SavedSearch->{'Id'};
 }
 
+# See RT::Attribute for mappings of update, delete, display to actual
+# RT rights for the rights checks used here.
+
 if ( $ARGS{'SavedSearchLoad'} ) {
     my ($container, $id ) = _parse_saved_search ($ARGS{'SavedSearchLoad'});
+
     if ( $container ) {
         my $search = RT::Attribute->new( $session{'CurrentUser'} );
         $search->Load( $id );
+
+        if ($search) {
+            unless ($search->CurrentUserHasRight('display')) {
+                push @results, loc("No permission to load search");
+                return @results;
+            }
+        }
+
         $SavedSearch->{'Id'}          = $ARGS{'SavedSearchLoad'};
         $SavedSearch->{'Object'}      = $search;
         $SavedSearch->{'Description'} = $search->Description;
@@ -215,8 +230,22 @@ if ( $ARGS{'SavedSearchLoad'} ) {
     }
 }
 elsif ( $ARGS{'SavedSearchDelete'} ) {
-    # We set $SearchId to 'new' above already, so peek into the %ARGS
+    # Get the search id from $SavedSearch
     my ($container, $id) = _parse_saved_search( $SavedSearch->{'Id'} );
+
+    if ( $container ) {
+        # Load the attribute first to check rights before deleting
+        my $search = RT::Attribute->new( $session{'CurrentUser'} );
+        $search->Load( $id );
+
+        if ($search) {
+            unless ($search->CurrentUserHasRight('delete')) {
+                push @results, loc("No permission to delete search");
+                return @results;
+            }
+        }
+    }
+
     if ( $container && $container->id ) {
         # We have the object the entry is an attribute on; delete the entry...
         my ($val, $msg) = $container->Attributes->DeleteEntry( Name => 'SavedSearch', id => $id );

diff --git a/t/web/saved_search_permissions.t b/t/web/saved_search_permissions.t
@@ -1,7 +1,7 @@
 use strict;
 use warnings;
 
-use RT::Test tests => 12;
+use RT::Test tests => undef;
 my $user = RT::User->new(RT->SystemUser);
 ok(
     $user->Create(
@@ -31,3 +31,49 @@ $m->content_contains( $message, 'user foo can not load saved search of root' );
 
 $m->warning_like( qr/User #\d+ tried to load container user #\d+/,
     'get warning' );
+
+diag('Test RT System saved searches');
+ok( $m->logout(), 'User foo logged out');
+ok( $m->login(), 'root logged in' );
+$m->get_ok( $url . '/Search/Build.html?Query=id<20' );
+$m->submit_form(
+    form_name => 'BuildQuery',
+    fields    => { SavedSearchOwner => 'RT::System-1', SavedSearchDescription => 'Less than 20' },
+    button    => 'SavedSearchSave',
+);
+$m->content_contains( q{name="SavedSearchDescription" value="Less than 20"}, 'Saved Less than 20 search' );
+($id) = $m->content =~ /value="(RT::System-1-SavedSearch-\d+)"/;
+
+ok( $m->login( 'foo', 'foobar', logout => 1 ), 'User foo logged in' );
+$m->get_ok( $url . "/Search/Build.html?SavedSearchLoad=$id" );
+
+$message = qq{No permission to load search};
+$m->content_contains( $message, 'user foo can not load RT System system-wide searches' );
+
+# Grant rights to display the saved search interface on Query Builder
+ok($user->PrincipalObj->GrantRight(Object => RT->System, Right =>'CreateSavedSearch'),
+    'Granted foo CreateSavedSearch');
+ok($user->PrincipalObj->GrantRight(Object => RT->System, Right =>'LoadSavedSearch'),
+    'Granted foo LoadSavedSearch');
+ok($user->PrincipalObj->GrantRight(Object => RT->System, Right =>'ShowSavedSearches'),
+    'Granted foo ShowSavedSearches');
+$m->get_ok( $url . "/Search/Build.html?SavedSearchLoad=$id" );
+$m->content_contains('Loaded saved search', 'User foo loaded RT System saved search' );
+
+$m->get_ok( $url . "/Search/Build.html?SavedSearchLoad=$id" );
+$m->content_lacks('name="SavedSearchSave"', 'Update button not shown to user foo' );
+$m->content_lacks('name="SavedSearchDelete"', 'Delete button not shown to user foo' );
+
+# Try to delete directly
+$m->get_ok( $url . "/Search/Build.html?SavedSearchDelete=1&SavedSearchId=$id" );
+$message = qq{No permission to delete search};
+$m->content_contains( $message, 'user foo can not delete RT System saved search' );
+
+ok($user->PrincipalObj->GrantRight(Object => RT->System, Right =>'EditSavedSearches'),
+    'Granted foo EditSavedSearches');
+$m->get_ok( $url . "/Search/Build.html?SavedSearchDelete=1&SavedSearchId=$id" );
+$message = qq{Deleted saved search};
+$m->content_contains( $message, 'user foo deleted RT saved search' );
+
+
+done_testing;