Feature for 2.0.15: The Configuration menu is only displayed if the user has rights

Hi Folks,

If you want the [Configuration]-Link be displayed only when the user has
Configuration-Rights,
Change the <%INIT> Section of webrt/Elements/Tabs to:

<%INIT>
my ($tab, $action);
my $toptabs = { A => { title => ‘Home’,
path => ‘’,
},
B => { title => ‘Search’,
path => ‘Search/Listing.html’
},

                D => { title => 'Configuration',
                       path => 'Admin/'
                     }
             };

----------------------------------------

added by andreas.warnke @3Soft.de

----------------------------------------

check, if the user has config-rights:

my $ConfigAccess = undef;
use RT::Queues;

check global rights:

my $user = $session{‘CurrentUser’};
if ( $user->HasSystemRight(‘AdminGroups’) ||
$user->HasSystemRight(‘AdminKeywordSelects’) ||
$user->HasSystemRight(‘AdminKeywords’) ||
$user->HasSystemRight(‘AdminQueue’) ||
$user->HasSystemRight(‘AdminUsers’) ||
$user->HasSystemRight(‘ModifyACL’) ||
$user->HasSystemRight(‘ModifyQueueWatchers’) ||
$user->HasSystemRight(‘ModifyScrips’) ||
# $user->HasSystemRight(‘ModifySelf’) ||
$user->HasSystemRight(‘ModifyTemplate’) ||
$user->HasSystemRight(‘ShowACL’) ||
$user->HasSystemRight(‘ShowScrips’) ||
$user->HasSystemRight(‘ShowTemplate’) ||
$user->HasSystemRight(‘SuperUser’) ) {
$ConfigAccess = 1; }

check queue rights:

my $queues = new RT::Queues( $user );
while ( my $queue = $queues->Next() )
{
if ( $queue->CurrentUserHasRight(‘AdminKeywordSelects’) ||
$queue->CurrentUserHasRight(‘AdminQueue’) ||
$queue->CurrentUserHasRight(‘ModifyACL’) ||
$queue->CurrentUserHasRight(‘ModifyQueueWatchers’) ||
$queue->CurrentUserHasRight(‘ModifyScrips’) ||
$queue->CurrentUserHasRight(‘ModifyTemplate’) ||
$queue->CurrentUserHasRight(‘ShowACL’) ||
$queue->CurrentUserHasRight(‘ShowScrips’) ||
$queue->CurrentUserHasRight(‘ShowTemplate’) ) {
$ConfigAccess = 1; }
}

if no access, delete options from toptabs:

unless ( $ConfigAccess ) {
delete $toptabs->{‘D’};
if ($current_toptab eq ‘Admin/’ ) {
$tabs=undef;
$subtabs=undef;
}
}

----------------------------------------

my $topactions = {
A => { html => $m->scomp(’/Elements/CreateTicket’)
},
B => { html => $m->scomp(’/Elements/GotoTicket’)
}
};
</%INIT>

Comment:
This is a simple workaround. A complete solution would require to check
all $tab-options and $subtab options if the user has access to them.

Greetings
Andreas

If you want the [Configuration]-Link be displayed only when the user has
Configuration-Rights,
Change the <%INIT> Section of webrt/Elements/Tabs to:

What a coincidence, you beat me to it by minutes. I was just about
to send my patch for the same feature. Mine (I believe) makes it easier
to control who sees the link.

I add a right to the ACL system (and correct a spelling error along the way)

*** lib/RT/ACE.pm 2002/10/30 15:17:18 1.1
— lib/RT/ACE.pm 2002/10/30 15:20:25
*** 75,85 ****

System rights are rights granted to the whole system

%SYSTEMRIGHTS = (
SuperUser => ‘Do anything and everything’,
! AdminKeywords => ‘Creatte, delete and modify keywords’,
AdminGroups => ‘Create, delete and modify groups’,
AdminUsers => ‘Create, Delete and Modify users’,
ModifySelf => ‘Modify one’s own RT account’,
!
);

}}}

— 75,85 ----

System rights are rights granted to the whole system

%SYSTEMRIGHTS = (
SuperUser => ‘Do anything and everything’,
! AdminKeywords => ‘Create, delete and modify keywords’,
AdminGroups => ‘Create, delete and modify groups’,
AdminUsers => ‘Create, Delete and Modify users’,
ModifySelf => ‘Modify one’s own RT account’,
! SeeConfiguration => ‘See Configuration Tab’,
);

}}}

Then I key off of that right

*** WebRT/html/Elements/Tabs 2002/10/29 15:35:50 1.1
— WebRT/html/Elements/Tabs 2002/11/21 15:28:58
*** 98,115 ****

<%INIT>
my ($tab, $action);
! my $toptabs = { A => { title => ‘Home’,
! path => ‘’,
! },
! B => { title => ‘Search’,
! path => ‘Search/Listing.html’
! },
!
! D => { title => ‘Configuration’,
! path => ‘Admin/’
! }
! };
!

my $topactions = {
A => { html => $m->scomp(’/Elements/CreateTicket’)
— 98,115 ----

<%INIT>
my ($tab, $action);
! my $toptabs = { A => { title => ‘Home’,
! path => ‘’,
! },
! B => { title => ‘Search’,
! path => ‘Search/Listing.html’
! }
! };
! if ($session{‘CurrentUser’}->HasSystemRight(‘SeeConfiguration’)) {
! $toptabs->{‘D’} = { title => ‘Configuration’,
! path => ‘Admin/’
! };
! }

my $topactions = {
A => { html => $m->scomp(’/Elements/CreateTicket’)

Then I grant SeeConfiguration to the right groups or people.

-tony

Be forewarned that ACL checks are relatively expensive. This patch has
the danger of possibly slowing RT down a lot.

-j

»|« http://www.bestpractical.com/rt – Trouble Ticketing. Free.