NAME

  RT::Group - RT\'s group object

SYNOPSIS

  use RT::Group;
my $group = new RT::Group($CurrentUser);

DESCRIPTION

An RT group object.

AUTHOR

Jesse Vincent, jesse@bestpractical.com

SEE ALSO

RT

METHODS

AvailableRights

Returns a hash of available rights for this object. The keys are the right names and the values are a description of what the rights do

SelfDescription

Returns a user-readable description of what this group is for and what it's named.

Load ID

Load a group object from the database. Takes a single argument. If the argument is numerical, load by the column 'id'. Otherwise, complain and return.

LoadUserDefinedGroup NAME

Loads a system group from the database. The only argument is the group's name.

LoadACLEquivalenceGroup PRINCIPAL

Loads a user's acl equivalence group. Takes a principal object. ACL equivalnce groups are used to simplify the acl system. Each user has one group that only he is a member of. Rights granted to the user are actually granted to that group. This greatly simplifies ACL checks. While this results in a somewhat more complex setup when creating users and granting ACLs, it _greatly_ simplifies acl checks.

LoadPersonalGroup {Name => NAME, User => USERID}

Loads a personal group from the database.

LoadSystemInternalGroup NAME

Loads a Pseudo group from the database. The only argument is the group's name.

LoadTicketRoleGroup { Ticket => TICKET_ID, Type => TYPE }

Loads a ticket group from the database.

Takes a param hash with 2 parameters:

    Ticket is the TicketId we're curious about
    Type is the type of Group we're trying to load: 
        Requestor, Cc, AdminCc, Owner

LoadQueueRoleGroup { Queue => Queue_ID, Type => TYPE }

Loads a Queue group from the database.

Takes a param hash with 2 parameters:

    Queue is the QueueId we're curious about
    Type is the type of Group we're trying to load: 
        Requestor, Cc, AdminCc, Owner

LoadSystemRoleGroup Type

Loads a System group from the database.

Takes a single param: Type

    Type is the type of Group we're trying to load: 
        Requestor, Cc, AdminCc, Owner

_Create

Takes a paramhash with named arguments: Name, Description.

Returns a tuple of (Id, Message). If id is 0, the create failed

CreateUserDefinedGroup { Name => "name", Description => "Description"}

A helper subroutine which creates a system group

Returns a tuple of (Id, Message). If id is 0, the create failed

_CreateACLEquivalenceGroup { Principal }

A helper subroutine which creates a group containing only an individual user. This gets used by the ACL system to check rights. Yes, it denormalizes the data, but that's ok, as we totally win on performance.

Returns a tuple of (Id, Message). If id is 0, the create failed

CreatePersonalGroup { PrincipalId => PRINCIPAL_ID, Name => "name", Description => "Description"}

A helper subroutine which creates a personal group. Generally, personal groups are used for ACL delegation and adding to ticket roles PrincipalId defaults to the current user's principal id.

Returns a tuple of (Id, Message). If id is 0, the create failed

CreateRoleGroup { Domain => DOMAIN, Type => TYPE, Instance => ID }

A helper subroutine which creates a ticket group. (What RT 2.0 called Ticket watchers) Type is one of ( "Requestor" || "Cc" || "AdminCc" || "Owner") Domain is one of (RT::Ticket-Role || RT::Queue-Role || RT::System-Role) Instance is the id of the ticket or queue in question

This routine expects to be called from {Ticket||Queue}->CreateTicketGroups _inside of a transaction_

Returns a tuple of (Id, Message). If id is 0, the create failed

Delete

Delete this object

SetDisabled BOOL

If passed a positive value, this group will be disabled. No rights it commutes or grants will be honored. It will not appear in most group listings.

This routine finds all the cached group members that are members of this group (recursively) and disables them. =cut

 # }}}
 sub SetDisabled {
     my $self = shift;
     my $val = shift;
    if ($self->Domain eq 'Personal') {
   		if ($self->CurrentUser->PrincipalId == $self->Instance) {
    		unless ( $self->CurrentUserHasRight('AdminOwnPersonalGroups')) {
        		return ( 0, $self->loc('Permission Denied') );
    		}
    	} else {
        	unless ( $self->CurrentUserHasRight('AdminAllPersonalGroups') ) {
   	    		 return ( 0, $self->loc('Permission Denied') );
    		}
    	}
	}
	else {
        unless ( $self->CurrentUserHasRight('AdminGroup') ) {
                 return (0, $self->loc('Permission Denied'));
    }
    }
    $RT::Handle->BeginTransaction();
    $self->PrincipalObj->SetDisabled($val);


    # Find all occurrences of this member as a member of this group
    # in the cache and nuke them, recursively.
    # The following code will delete all Cached Group members
    # where this member's group is _not_ the primary group 
    # (Ie if we're deleting C as a member of B, and B happens to be 
    # a member of A, will delete C as a member of A without touching
    # C as a member of B
    my $cached_submembers = RT::CachedGroupMembers->new( $self->CurrentUser );
    $cached_submembers->Limit( FIELD    => 'ImmediateParentId', OPERATOR => '=', VALUE    => $self->Id);
    #Clear the key cache. TODO someday we may want to just clear a little bit of the keycache space. 
    # TODO what about the groups key cache?
    RT::Principal->_InvalidateACLCache();

    while ( my $item = $cached_submembers->Next() ) {
        my $del_err = $item->SetDisabled($val);
        unless ($del_err) {
            $RT::Handle->Rollback();
            $RT::Logger->warning("Couldn't disable cached group submember ".$item->Id);
            return (undef);
        }
    }
    $RT::Handle->Commit();
    return (1, $self->loc("Succeeded"));

}

# }}}

sub Disabled { my $self = shift; $self->PrincipalObj->Disabled(@_); }

# {{{ DeepMembersObj

DeepMembersObj

Returns an RT::CachedGroupMembers object of this group's members.

UserMembersObj

Returns an RT::Users object of this group's members, including all members of subgroups

MembersObj

Returns an RT::CachedGroupMembers object of this group's members.

MemberEmailAddresses

Returns an array of the email addresses of all of this group's members

MemberEmailAddressesAsString

Returns a comma delimited string of the email addresses of all users who are members of this group.

AddMember PRINCIPAL_ID

AddMember adds a principal to this group. It takes a single principal id. Returns a two value array. the first value is true on successful addition or 0 on failure. The second value is a textual status msg.

HasMember RT::Principal

Takes an RT::Principal object returns a GroupMember Id if that user is a member of this group. Returns undef if the user isn't a member of the group or if the current user doesn't have permission to find out. Arguably, it should differentiate between ACL failure and non membership.

HasMemberRecursively RT::Principal

Takes an RT::Principal object and returns true if that user is a member of this group. Returns undef if the user isn't a member of the group or if the current user doesn't have permission to find out. Arguably, it should differentiate between ACL failure and non membership.

DeleteMember PRINCIPAL_ID

Takes the principal id of a current user or group. If the current user has apropriate rights, removes that GroupMember from this group. Returns a two value array. the first value is true on successful addition or 0 on failure. The second value is a textual status msg.

CurrentUserHasRight RIGHTNAME

Returns true if the current user has the specified right for this group.

    TODO: we don't deal with membership visibility yet

PrincipalObj

Returns the principal object for this user. returns an empty RT::Principal if there's no principal object matching this user. The response is cached. PrincipalObj should never ever change.

PrincipalId

Returns this user's PrincipalId