Update to code to allow non SuperUser to only update users

RT Developers
1

We wanted the ability to create a new user and give them access to
create/edit/disable users. I did not want to give this user SuperUser access, so I
gave them the following rights:

AdminUsers
ShowConfigTab

However, more menu options displayed than I wanted, plus I noticed that this
user could change the password for ANY user, including root, which I
didn’t care for.

So I put together this patch (consisting of 3 files) which will do the
following:

If a user has ShowConfigTab, but does NOT have  SuperUser rights, the

only menu option that will be displayed will be User

When the user list of priviledged users comes up,  users with SuperUser

right will NOT be displayed.

Just thought I’d share this with everyone in case others need this
functionality. I looked around and had not seen anything like this posted already.
Hopefully someone will find this handy.

— share/html/Admin/index.html Wed Jun 1 18:36:55 2005
+++ local/html/Admin/index.html Tue Sep 6 17:32:34 2005
@@ -55,45 +55,53 @@

<%init>

-my $tabs = {

  • A => {
  •     title       =>  loc('Users'),

  •     path        =>  'Admin/Users/index.html',

  •     description => loc('Manage users and passwords'),

  • },
  • B => {
  •    title =>  loc('Groups'),

  •    path  =>  'Admin/Groups/index.html',

  •     description => loc('Manage groups and group  membership'),
  • },
  • C => {
  •     title       =>  loc('Queues'),

  •     path        =>  'Admin/Queues/index.html',

  •     description => loc('Manage queues and queue-specific  properties'),
  • },
  • D => {
  •    'title'      => loc('Custom Fields'),

  •     description => loc('Manage custom fields and custom field  values'),

  •       path      =>  'Admin/CustomFields/index.html',

  • },
  • E => {
  •    'title'      => loc('Global'),

  •     path        =>  'Admin/Global/index.html',

  •     description =>

  •       loc('Manage properties and configuration which apply to all

queues’),

  • },
  • F => {
  •    'title'      => loc('Tools'),

  •     path        =>  'Admin/Tools/index.html',

  •     description => loc('Use other RT administrative  tools')
  • },
    -};
    +my ($tabs, $superuser, $amisuperuser);
    +$superuser=new RT::User($session{‘CurrentUser’});
    +$amisuperuser=$superuser->CurrentUserHasRight(‘SuperUser’);
    +if ($amisuperuser) {
  • $tabs = {
  •    A =>  {

  •         title       =>  loc('Users'),

  •         path        =>  'Admin/Users/index.html',

  •         description => loc('Manage users and  passwords'),

  •     },

  •    B =>  {

  •        title  =>  loc('Groups'),

  •         path  =>  'Admin/Groups/index.html',

  •         description => loc('Manage groups and group  membership'),

  •     },

  •    C =>  {

  •         title       =>  loc('Queues'),

  •         path        =>  'Admin/Queues/index.html',

  •         description => loc('Manage queues and queue-specific

properties’),

  •     },

  •    D =>  {

  •         'title'     => loc('Custom  Fields'),

  •         description => loc('Manage custom fields and custom field

values’),

  •         path        =>  'Admin/CustomFields/index.html',

  •     },

  •    E =>  {

  •         'title'     =>  loc('Global'),

  •         path        =>  'Admin/Global/index.html',

  •         description => loc('Manage properties and configuration which

apply to all queues’),

  •     },

  •    F =>  {

  •         'title'     =>  loc('Tools'),

  •         path        =>  'Admin/Tools/index.html',

  •         description => loc('Use other RT administrative  tools')

  •    },

  • }

+} else {

  • $tabs = {
  •    A =>  {

  •         title       =>  loc('Users'),

  •         path        =>  'Admin/Users/index.html',

  •         description => loc('Manage users and  passwords'),

  •     },
  • }
    +}

$m->comp(’/Elements/Callback’, tabs => $tabs, %ARGS);

</%init>

— share/html/Admin/Users/index.html Sun Apr 17 21:43:44 2005
+++ local/html/Admin/Users/index.html Tue Sep 6 17:25:13 2005
@@ -56,8 +56,10 @@
% }
%my @ids;
%while ( $user = $users->Next) {
-% push @ids, $user->Id;
+% if
(($amisuperuser)||((!$amisuperuser)&&(!$user->HasRight(Object=>$RT::System,Right=>‘SuperUser’)))) {
+% push @ids, $user->Id;

  • <%$user->Name || loc('(no name listed)')%>
    • +% } %} %if (my $ids = join(',', @ids)) { @@ -74,7 +76,7 @@

    <%INIT>
    -my ($user, $caption);
    +my ($user, $caption, $superuser, $amisuperuser);
    my $users = new RT::Users($session{‘CurrentUser’});

    if ($FindDisabledUsers) {
    @@ -102,6 +104,8 @@
    $caption = loc(“Privileged users”);
    $users->LimitToPrivileged;
    }
    +$superuser=new RT::User($session{‘CurrentUser’});
    +$amisuperuser=$superuser->CurrentUserHasRight(‘SuperUser’);
    </%INIT>
    <%ARGS>
    $UserString => undef

    — share/html/Admin/Elements/Tabs Tue Feb 1 09:20:40 2005
    +++ local/html/Admin/Elements/Tabs Tue Sep 6 17:37:05 2005
    @@ -50,7 +50,12 @@
    Title => $Title &>

    <%INIT>

    • my $tabs = { A => { title => loc(‘Users’),
      +my ($tabs, $superuser, $amisuperuser);
      +$superuser=new RT::User($session{‘CurrentUser’});
      +$amisuperuser=$superuser->CurrentUserHasRight(‘SuperUser’);
      +if ($amisuperuser) {
    • $tabs = { A => { title => loc(‘Users’),
      path => ‘Admin/Users/’,
      },
      B => { title => loc(‘Groups’),
      @@ -69,6 +74,12 @@
      path => ‘Admin/Tools/’,
      },
      };
      +} else {
    • $tabs = { A => { title => loc(‘Users’),
    • path =>  'Admin/Users/',
    • },
    • };
      +}

    Now let callbacks add their extra tabs

    $m->comp(’/Elements/Callback’, tabs => $tabs, %ARGS);