Hi all,
I’ve been trying to track down a problem with the REST2 API /queues/all call. If this is sent by a user that is either not an admin or doesn’t have the global “SeeQueue” right, the REST2 API not only no longer shows the total hits or number of pages, but also misses out the next_page and prev_page links.
Tracking down what was causing this was a real head scratcher. After many false starts and following the twisty maze of inherited and overridden module functions, I think I’ve finally tracked the problem down, and its actually in RT::Queues module. This has its own AddRecord() function which is used to decide if a record can be added to the result set of a query.
I discovered that the $Queue->CurrentUserHasRight('SeeQueue') in this AddRecord method only seemed to work on the first page of results. As the RT::REST2::Resource::Collection.pm module now tries to do multiple “preview” pulls to see if it should add a next_page and/or prev_page link to the REST2 JSON results, the lack of rights meant it thought there were no more valid pages to view.
The fix was to make a local copy of lib/RT/Queues.pm and add one line to the AddRecord() method to give this:
sub AddRecord {
my $self = shift;
my $Queue = shift;
$Queue->CurrentUser->PrincipalObj->HasRights( Object => $Queue);
return unless $Queue->CurrentUserHasRight('SeeQueue');
push @{$self->{'items'}}, $Queue;
$self->{'rows'}++;
}
The extra line is the $Queue->CurrentUser->PrincipalObj->HasRights( Object => $Queue); which sets up a cache for the subsequent CurrentUserHasRights() call. I don’t know why it needs this, but it appears to fix it, and next_page links now appear.
