diff --git a/Kernel/Modules/AdminAttachment.pm b/Kernel/Modules/AdminAttachment.pm
index 3c561ef622..49ecd7106d 100644
--- a/Kernel/Modules/AdminAttachment.pm
+++ b/Kernel/Modules/AdminAttachment.pm
@@ -30,6 +30,10 @@ sub new {
my $Self = {%Param};
bless( $Self, $Type );
+ if ( !$Param{AccessRw} && $Param{AccessRo} ) {
+ $Self->{LightAdmin} = 1;
+ }
+
return $Self;
}
@@ -51,6 +55,25 @@ sub Run {
my $Output = $LayoutObject->Header();
$Output .= $LayoutObject->NavigationBar();
+
+ # check permission for all linked templates.
+ if ( $Self->{LightAdmin} ) {
+ $Data{Permission} = $StdAttachmentObject->StdAttachmentStandardTemplatePermission(
+ ID => $ID,
+ UserID => $Self->{UserID},
+ Default => 'ro',
+ );
+ if ( !$Data{Permission} ) {
+ %Data = ();
+ }
+ elsif ( $Data{Permission} eq 'ro' ) {
+ $Output .= $LayoutObject->Notify(
+ Priority => 'Notice',
+ Data => $LayoutObject->{LanguageObject}->Translate('No permission to edit this attachment.'),
+ );
+ }
+ }
+
$Self->_Edit(
Action => 'Change',
%Data,
@@ -89,6 +112,18 @@ sub Run {
}
}
+ if ( $Self->{LightAdmin} ) {
+ my $Permission = $StdAttachmentObject->StdAttachmentStandardTemplatePermission(
+ ID => $GetParam{ID},
+ UserID => $Self->{UserID},
+ );
+
+ # No permission to change the attachment.
+ if ( $Permission ne 'rw' ) {
+ $Errors{NoPermission} = 1;
+ }
+ }
+
# if no errors occurred
if ( !%Errors ) {
@@ -231,7 +266,25 @@ sub Run {
# challenge token check for write action
$LayoutObject->ChallengeTokenCheck();
- my $ID = $ParamObject->GetParam( Param => 'ID' );
+ my $ID = $ParamObject->GetParam( Param => 'ID' );
+
+ if ( $Self->{LightAdmin} ) {
+ my $Permission = $StdAttachmentObject->StdAttachmentStandardTemplatePermission(
+ ID => $ID,
+ UserID => $Self->{UserID},
+ );
+
+ # No permission to delete the attachment.
+ if ( $Permission ne 'rw' ) {
+ return $LayoutObject->Attachment(
+ ContentType => 'text/html',
+ Content => 0,
+ Type => 'inline',
+ NoCache => 1,
+ );
+ }
+ }
+
my $Delete = $StdAttachmentObject->StdAttachmentDelete(
ID => $ID,
);
@@ -257,6 +310,20 @@ sub Run {
my %Data = $StdAttachmentObject->StdAttachmentGet(
ID => $ID,
);
+
+ if ( $Self->{LightAdmin} ) {
+ my $Permission = $StdAttachmentObject->StdAttachmentStandardTemplatePermission(
+ ID => $ID,
+ UserID => $Self->{UserID},
+ Default => 'ro',
+ );
+
+ # No permission to download the attachment.
+ if ( !$Permission ) {
+ %Data = ();
+ }
+ }
+
if ( !%Data ) {
return $LayoutObject->ErrorScreen();
}
@@ -361,11 +428,21 @@ sub _Overview {
# get valid list
my %ValidList = $Kernel::OM->Get('Kernel::System::Valid')->ValidList();
+ ID:
for my $ID ( sort { $List{$a} cmp $List{$b} } keys %List ) {
my %Data = $StdAttachmentObject->StdAttachmentGet(
ID => $ID,
);
+ # check permission for all linked templates.
+ if ( $Self->{LightAdmin} ) {
+ $Data{Permission} = $StdAttachmentObject->StdAttachmentStandardTemplatePermission(
+ ID => $ID,
+ UserID => $Self->{UserID},
+ );
+ next ID if !$Data{Permission};
+ }
+
$LayoutObject->Block(
Name => 'OverviewResultRow',
Data => {
diff --git a/Kernel/Modules/AdminNotificationEvent.pm b/Kernel/Modules/AdminNotificationEvent.pm
index 7ba8240411..6eecbaa939 100644
--- a/Kernel/Modules/AdminNotificationEvent.pm
+++ b/Kernel/Modules/AdminNotificationEvent.pm
@@ -31,6 +31,10 @@ sub new {
my $Self = {%Param};
bless( $Self, $Type );
+ if ( !$Param{AccessRw} && $Param{AccessRo} ) {
+ $Self->{LightAdmin} = 1;
+ }
+
return $Self;
}
@@ -38,6 +42,7 @@ sub Run {
my ( $Self, %Param ) = @_;
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
+ my $QueueObject = $Kernel::OM->Get('Kernel::System::Queue');
my $RichText = $ConfigObject->Get('Frontend::RichText');
my $DynamicField = $Kernel::OM->Get('Kernel::System::DynamicField')->DynamicFieldListGet(
Valid => 1,
@@ -68,6 +73,9 @@ sub Run {
# get registered transport layers
my %RegisteredTransports = %{ $Kernel::OM->Get('Kernel::Config')->Get('Notification::Transport') || {} };
+ # Get permission level.
+ my $Permission = $Self->{LightAdmin} ? '' : 'rw';
+
# ------------------------------------------------------------ #
# change
# ------------------------------------------------------------ #
@@ -83,6 +91,25 @@ sub Run {
my $Output = $LayoutObject->Header();
$Output .= $LayoutObject->NavigationBar();
+
+ if ( $Self->{LightAdmin} ) {
+ $Data{Permission} = $QueueObject->QueueListPermission(
+ QueueIDs => $Data{Data}{QueueID},
+ UserID => $Self->{UserID},
+ );
+
+ # No permission for the notification.
+ if ( !$Data{Permission} ) {
+ %Data = ();
+ }
+ elsif ( $Data{Permission} eq 'ro' ) {
+ $Output .= $LayoutObject->Notify(
+ Priority => 'Notice',
+ Data => $LayoutObject->{LanguageObject}->Translate('No permission to edit this ticket notification.'),
+ );
+ }
+ }
+
$Output .= $LayoutObject->Notify( Info => Translatable('Notification updated!') )
if ( $Notification && $Notification eq 'Update' );
$Self->_Edit(
@@ -170,6 +197,19 @@ sub Run {
}
}
+ if ( $Self->{LightAdmin} ) {
+ $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => $GetParam{Data}->{QueueID},
+ UserID => $Self->{UserID},
+ );
+
+ # Queue is mandatory and can only contain queues with 'rw' permission.
+ if ( !$GetParam{Data}->{QueueID} || $Permission ne 'rw' ) {
+ $GetParam{QueueIDServerError} = "ServerError";
+ $Error = 1;
+ }
+ }
+
# to store dynamic fields profile data
my %DynamicFieldValues;
@@ -414,6 +454,19 @@ sub Run {
}
}
+ if ( $Self->{LightAdmin} ) {
+ $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => $GetParam{Data}->{QueueID},
+ UserID => $Self->{UserID},
+ );
+
+ # Queue is mandatory and can only contain queues with 'rw' permission.
+ if ( !$GetParam{Data}->{QueueID} || $Permission ne 'rw' ) {
+ $GetParam{QueueIDServerError} = "ServerError";
+ $Error = 1;
+ }
+ }
+
# to store dynamic fields profile data
my %DynamicFieldValues;
@@ -584,6 +637,23 @@ sub Run {
$GetParam{$Parameter} = $ParamObject->GetParam( Param => $Parameter ) || '';
}
+ if ( $Self->{LightAdmin} ) {
+ my %Notification = $NotificationEventObject->NotificationGet(
+ ID => $GetParam{ID},
+ UserID => $Self->{UserID},
+ );
+
+ $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => $Notification{Data}{QueueID},
+ UserID => $Self->{UserID},
+ );
+ }
+
+ # No permission to delete the notification.
+ if ( $Permission ne 'rw' ) {
+ return $LayoutObject->ErrorScreen();
+ }
+
my $Delete = $NotificationEventObject->NotificationDelete(
ID => $GetParam{ID},
UserID => $Self->{UserID},
@@ -612,7 +682,14 @@ sub Run {
UserID => $Self->{UserID},
);
- if ( !IsHashRefWithData( \%NotificationSingleData ) ) {
+ if ( $Self->{LightAdmin} ) {
+ $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => $NotificationSingleData{Data}{QueueID},
+ UserID => $Self->{UserID},
+ );
+ }
+
+ if ( !IsHashRefWithData( \%NotificationSingleData ) || $Permission ne 'rw' ) {
return $LayoutObject->ErrorScreen(
Message => $LayoutObject->{LanguageObject}->Translate( 'There was an error getting data for Notification with ID:%s!', $NotificationID ),
);
@@ -633,7 +710,18 @@ sub Run {
my @Data;
for my $ItemID ( sort keys %Notificationdetails ) {
- push @Data, $Notificationdetails{$ItemID};
+
+ # filter out notifications without rw permission on all queues.
+ $Permission = $Self->{LightAdmin} ? '' : 'rw';
+ if ( $Self->{LightAdmin} ) {
+ $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => $Notificationdetails{$ItemID}{Data}{QueueID},
+ UserID => $Self->{UserID},
+ );
+ }
+ if ( $Permission eq 'rw' ) {
+ push @Data, $Notificationdetails{$ItemID};
+ }
}
$NotificationData = \@Data;
}
@@ -666,7 +754,14 @@ sub Run {
ID => $NotificationID,
UserID => $Self->{UserID},
);
- if ( !IsHashRefWithData( \%NotificationData ) ) {
+
+ if ( $Self->{LightAdmin} ) {
+ $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => $NotificationData{Data}{QueueID},
+ UserID => $Self->{UserID},
+ );
+ }
+ if ( !IsHashRefWithData( \%NotificationData ) || $Permission ne 'rw' ) {
return $LayoutObject->ErrorScreen(
Message => $LayoutObject->{LanguageObject}->Translate( 'Unknown Notification %s!', $NotificationID ),
);
@@ -707,6 +802,30 @@ sub Run {
Source => 'string',
);
+ # import only works if user has 'rw' permission on all queues.
+ if ( $Self->{LightAdmin} ) {
+ my $Notifications = $Kernel::OM->Get('Kernel::System::YAML')->Load( Data => $UploadStuff{Content} );
+
+ my $NoPermission;
+ NOTIFICATION:
+ for my $Notification ( @{$Notifications} ) {
+ $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => $Notification->{Data}->{QueueID},
+ UserID => $Self->{UserID},
+ );
+ if ( $Permission ne 'rw' ) {
+ $NoPermission = 1;
+ last NOTIFICATION;
+ }
+ }
+ if ($NoPermission) {
+ my $Message = $LayoutObject->{LanguageObject}->Translate( 'You need %s permissions!', 'rw' );
+ return $LayoutObject->ErrorScreen(
+ Message => $Message,
+ );
+ }
+ }
+
my $OverwriteExistingNotifications = $ParamObject->GetParam( Param => 'OverwriteExistingNotifications' ) || '';
my $NotificationImport = $NotificationEventObject->NotificationImport(
@@ -798,6 +917,7 @@ sub _Edit {
my ( $Self, %Param ) = @_;
my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
+ my $QueueObject = $Kernel::OM->Get('Kernel::System::Queue');
$LayoutObject->Block(
Name => 'Overview',
@@ -932,6 +1052,53 @@ sub _Edit {
Class => 'Modernize W75pc',
);
+ if ( $Self->{LightAdmin} ) {
+
+ # Make the queue field mandatory.
+ $Param{LightAdmin} = 1;
+
+ my %RoQueues = $QueueObject->GetAllQueues( UserID => $Self->{UserID} );
+ my %RwQueues = $QueueObject->GetAllQueues(
+ UserID => $Self->{UserID},
+ Type => 'rw',
+ );
+
+ # Add disabled queues
+ my @DisabledQueues;
+ my @VisibleSelected;
+ if ( IsArrayRefWithData( $Param{Data}->{QueueID} ) ) {
+ for my $QueueID ( @{ $Param{Data}->{QueueID} } ) {
+ if ( $RwQueues{$QueueID} ) {
+ push @VisibleSelected, $QueueID;
+ }
+
+ elsif ( $RoQueues{$QueueID} ) {
+
+ # show the queue but disable it
+ $RwQueues{$QueueID} = $RoQueues{$QueueID};
+
+ # this can have the sideeffect that if the agent has rw on queue X::Y, but queue X gets added here,
+ # X::Y will be disabled as part of the branch, too, but the agent cannot alter this notification anyways
+ push @DisabledQueues, $QueueID;
+ push @VisibleSelected, $QueueID;
+ }
+
+ # else -> don't show queues you have no ro access
+ }
+ }
+
+ $Param{QueuesStrg} = $LayoutObject->BuildSelection(
+ Data => \%RwQueues,
+ Size => 5,
+ Multiple => 1,
+ Name => 'QueueID',
+ TreeView => $TreeView,
+ SelectedID => \@VisibleSelected,
+ DisabledBranch => \@DisabledQueues,
+ Class => 'Modernize W75pc Validate_Required',
+ );
+ }
+
$Param{PrioritiesStrg} = $LayoutObject->BuildSelection(
Data => {
$Kernel::OM->Get('Kernel::System::Priority')->PriorityList(
@@ -1489,11 +1656,22 @@ sub _Overview {
# get valid list
my %ValidList = $Kernel::OM->Get('Kernel::System::Valid')->ValidList();
+ ID:
for my $NotificationID ( sort { $List{$a} cmp $List{$b} } keys %List ) {
my %Data = $NotificationEventObject->NotificationGet(
ID => $NotificationID,
);
+
+ if ( $Self->{LightAdmin} ) {
+ $Data{Permission} = $Kernel::OM->Get('Kernel::System::Queue')->QueueListPermission(
+ QueueIDs => $Data{Data}{QueueID},
+ UserID => $Self->{UserID},
+ );
+
+ next ID if !$Data{Permission};
+ }
+
$LayoutObject->Block(
Name => 'OverviewResultRow',
Data => {
diff --git a/Kernel/Modules/AdminQueueTemplates.pm b/Kernel/Modules/AdminQueueTemplates.pm
index 92888832fe..cf47193fd5 100644
--- a/Kernel/Modules/AdminQueueTemplates.pm
+++ b/Kernel/Modules/AdminQueueTemplates.pm
@@ -28,6 +28,10 @@ sub new {
my $Self = {%Param};
bless( $Self, $Type );
+ if ( !$Param{AccessRw} && $Param{AccessRo} ) {
+ $Self->{LightAdmin} = 1;
+ }
+
return $Self;
}
@@ -60,6 +64,33 @@ sub Run {
$StandardTemplateData{TemplateType},
);
+ if ( $Self->{LightAdmin} ) {
+
+ # Filter out queues without permission.
+ my %RwQueues = $QueueObject->GetAllQueues(
+ UserID => $Self->{UserID},
+ Type => 'rw',
+ );
+
+ for my $QueueID ( keys %QueueData ) {
+ delete $QueueData{$QueueID} if !$RwQueues{$QueueID};
+ }
+
+ # Check the permission.
+ my %Queues = $QueueObject->QueueStandardTemplateMemberList( StandardTemplateID => $ID );
+ my $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => [ keys %Queues ],
+ UserID => $Self->{UserID},
+ Default => 'rw',
+ );
+
+ if ( $Permission ne 'rw' ) {
+ undef %StandardTemplateData;
+ undef %Member;
+ $StandardTemplateType = '';
+ }
+ }
+
my $Output = $LayoutObject->Header();
$Output .= $LayoutObject->NavigationBar();
$Output .= $Self->_Change(
@@ -103,6 +134,33 @@ sub Run {
QueueID => $ID,
);
+ if ( $Self->{LightAdmin} ) {
+
+ # Filter out templates without permission.
+ for my $StandardTemplateID ( keys %StandardTemplateData ) {
+ my %Queues = $QueueObject->QueueStandardTemplateMemberList( StandardTemplateID => $StandardTemplateID );
+ my $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => [ keys %Queues ],
+ UserID => $Self->{UserID},
+ Default => 'rw',
+ );
+ if ( $Permission ne 'rw' ) {
+ delete $StandardTemplateData{$StandardTemplateID};
+ }
+ }
+
+ # Check the permission.
+ my %RwQueues = $QueueObject->GetAllQueues(
+ UserID => $Self->{UserID},
+ Type => 'rw',
+ );
+
+ if ( !$RwQueues{$ID} ) {
+ undef %QueueData;
+ undef %Member;
+ }
+ }
+
my $Output = $LayoutObject->Header();
$Output .= $LayoutObject->NavigationBar();
$Output .= $Self->_Change(
@@ -133,6 +191,25 @@ sub Run {
# create hash with selected templates
my %TemplatesSelected = map { $_ => 1 } @TemplatesSelected;
+ if ( $Self->{LightAdmin} ) {
+ ID:
+ for my $StandardTemplateID ( keys %TemplatesSelected ) {
+ next ID if !$StandardTemplateID; # Can contain empty string.
+
+ my %Queues = $QueueObject->QueueStandardTemplateMemberList( StandardTemplateID => $StandardTemplateID );
+ my $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => [ keys %Queues ],
+ UserID => $Self->{UserID},
+ Default => 'rw',
+ );
+ if ( $Permission ne 'rw' ) {
+ return $LayoutObject->Redirect(
+ OP => "Action=$Self->{Action}"
+ );
+ }
+ }
+ }
+
# check all used templates
for my $TemplateID (@TemplatesAll) {
my $Active = $TemplatesSelected{$TemplateID} ? 1 : 0;
@@ -181,6 +258,23 @@ sub Run {
# create hash with selected queues
my %QueuesSelected = map { $_ => 1 } @QueuesSelected;
+ # backend check to prevent saving without permission.
+ if ( $Self->{LightAdmin} ) {
+ my %RwQueues = $QueueObject->GetAllQueues(
+ UserID => $Self->{UserID},
+ Type => 'rw',
+ );
+ ID:
+ for my $QueueID ( keys %QueuesSelected ) {
+ next ID if !$QueueID; # Can contain empty string.
+ if ( !$RwQueues{$QueueID} ) {
+ return $LayoutObject->Redirect(
+ OP => "Action=$Self->{Action}"
+ );
+ }
+ }
+ }
+
# check all used queues
for my $QueueID (@QueuesAll) {
my $Active = $QueuesSelected{$QueueID} ? 1 : 0;
@@ -327,6 +421,7 @@ sub _Overview {
my ( $Self, %Param ) = @_;
my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
+ my $QueueObject = $Kernel::OM->Get('Kernel::System::Queue');
$LayoutObject->Block(
Name => 'Overview',
@@ -356,11 +451,23 @@ sub _Overview {
. ' - '
. $Data{Name};
}
+ ID:
for my $StandardTemplateID (
sort { uc( $StandardTemplateData{$a} ) cmp uc( $StandardTemplateData{$b} ) }
keys %StandardTemplateData
)
{
+ if ( $Self->{LightAdmin} ) {
+ my %Queues = $QueueObject->QueueStandardTemplateMemberList( StandardTemplateID => $StandardTemplateID );
+ my $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => [ keys %Queues ],
+ UserID => $Self->{UserID},
+ Default => 'rw',
+ );
+ if ( $Permission ne 'rw' ) {
+ next ID;
+ }
+ }
# set output class
$LayoutObject->Block(
@@ -385,6 +492,19 @@ sub _Overview {
# get queue data
my %QueueData = $Kernel::OM->Get('Kernel::System::Queue')->QueueList( Valid => 1 );
+ if ( $Self->{LightAdmin} ) {
+
+ # Filter out queues without permission.
+ my %RwQueues = $QueueObject->GetAllQueues(
+ UserID => $Self->{UserID},
+ Type => 'rw',
+ );
+
+ for my $QueueID ( keys %QueueData ) {
+ delete $QueueData{$QueueID} if !$RwQueues{$QueueID};
+ }
+ }
+
# if there are results to show
if (%QueueData) {
for my $QueueID ( sort { uc( $QueueData{$a} ) cmp uc( $QueueData{$b} ) } keys %QueueData ) {
diff --git a/Kernel/Modules/AdminTemplate.pm b/Kernel/Modules/AdminTemplate.pm
index b1e2eb957e..a2ce10f867 100644
--- a/Kernel/Modules/AdminTemplate.pm
+++ b/Kernel/Modules/AdminTemplate.pm
@@ -30,6 +30,10 @@ sub new {
my $Self = {%Param};
bless( $Self, $Type );
+ if ( !$Param{AccessRw} && $Param{AccessRo} ) {
+ $Self->{LightAdmin} = 1;
+ }
+
return $Self;
}
@@ -40,6 +44,7 @@ sub Run {
my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
my $StandardTemplateObject = $Kernel::OM->Get('Kernel::System::StandardTemplate');
my $StdAttachmentObject = $Kernel::OM->Get('Kernel::System::StdAttachment');
+ my $QueueObject = $Kernel::OM->Get('Kernel::System::Queue');
my $Notification = $ParamObject->GetParam( Param => 'Notification' ) || '';
@@ -62,6 +67,27 @@ sub Run {
my $Output = $LayoutObject->Header();
$Output .= $LayoutObject->NavigationBar();
+
+ if ( $Self->{LightAdmin} ) {
+ my %Queues = $QueueObject->QueueStandardTemplateMemberList( StandardTemplateID => $ID );
+ $Data{Permission} = $QueueObject->QueueListPermission(
+ QueueIDs => [ keys %Queues ],
+ UserID => $Self->{UserID},
+ Default => 'rw',
+ );
+
+ # No permission for the template.
+ if ( !$Data{Permission} ) {
+ %Data = ();
+ }
+ elsif ( $Data{Permission} eq 'ro' ) {
+ $Output .= $LayoutObject->Notify(
+ Priority => 'Notice',
+ Data => $LayoutObject->{LanguageObject}->Translate('No permission to edit this template.'),
+ );
+ }
+ }
+
$Output .= $LayoutObject->Notify( Info => Translatable('Template updated!') )
if ( $Notification && $Notification eq 'Update' );
@@ -87,6 +113,20 @@ sub Run {
$LayoutObject->ChallengeTokenCheck();
my @NewIDs = $ParamObject->GetArray( Param => 'IDs' );
+ if ( $Self->{LightAdmin} ) {
+ my @CheckedIDs;
+ for my $ID (@NewIDs) {
+ my $Permission = $StdAttachmentObject->StdAttachmentStandardTemplatePermission(
+ ID => $ID,
+ UserID => $Self->{UserID},
+ );
+ if ( $Permission eq 'rw' ) {
+ push @CheckedIDs, $ID;
+ }
+ }
+ @NewIDs = @CheckedIDs;
+ }
+
my ( %GetParam, %Errors );
for my $Parameter (qw(ID Name Comment ValidID TemplateType)) {
$GetParam{$Parameter} = $ParamObject->GetParam( Param => $Parameter ) || '';
@@ -121,6 +161,20 @@ sub Run {
$Errors{'NameInvalid'} = 'ServerError';
}
+ if ( $Self->{LightAdmin} ) {
+ my %Queues = $QueueObject->QueueStandardTemplateMemberList( StandardTemplateID => $GetParam{ID} );
+ my $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => [ keys %Queues ],
+ UserID => $Self->{UserID},
+ Default => 'rw',
+ );
+
+ # No permission to change the template.
+ if ( $Permission ne 'rw' ) {
+ $Errors{NoPermission} = 1;
+ }
+ }
+
# if no errors occurred
if ( !%Errors ) {
@@ -216,6 +270,20 @@ sub Run {
$LayoutObject->ChallengeTokenCheck();
my @NewIDs = $ParamObject->GetArray( Param => 'IDs' );
+ if ( $Self->{LightAdmin} ) {
+ my @CheckedIDs;
+ for my $ID (@NewIDs) {
+ my $Permission = $StdAttachmentObject->StdAttachmentStandardTemplatePermission(
+ ID => $ID,
+ UserID => $Self->{UserID},
+ );
+ if ( $Permission eq 'rw' ) {
+ push @CheckedIDs, $ID;
+ }
+ }
+ @NewIDs = @CheckedIDs;
+ }
+
my ( %GetParam, %Errors );
for my $Parameter (qw(ID Name Comment ValidID TemplateType)) {
@@ -318,6 +386,20 @@ sub Run {
my $ID = $ParamObject->GetParam( Param => 'ID' );
+ if ( $Self->{LightAdmin} ) {
+ my %Queues = $QueueObject->QueueStandardTemplateMemberList( StandardTemplateID => $ID );
+ my $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => [ keys %Queues ],
+ UserID => $Self->{UserID},
+ Default => 'rw',
+ );
+
+ # No permission to delete the template.
+ if ( $Permission ne 'rw' ) {
+ return $LayoutObject->ErrorScreen();
+ }
+ }
+
my $Delete = $StandardTemplateObject->StandardTemplateDelete(
ID => $ID,
);
@@ -385,7 +467,21 @@ sub _Edit {
Class => 'Modernize Validate_Required ' . ( $Param{Errors}->{'TemplateTypeInvalid'} || '' ),
);
- my %AttachmentData = $Kernel::OM->Get('Kernel::System::StdAttachment')->StdAttachmentList( Valid => 1 );
+ my $StdAttachmentObject = $Kernel::OM->Get('Kernel::System::StdAttachment');
+ my %AttachmentData = $StdAttachmentObject->StdAttachmentList( Valid => 1 );
+
+ if ( $Self->{LightAdmin} ) {
+ for my $Key ( sort keys %AttachmentData ) {
+ my $Permission = $StdAttachmentObject->StdAttachmentStandardTemplatePermission(
+ ID => $Key,
+ UserID => $Self->{UserID},
+ );
+ if ( $Permission ne 'rw' ) {
+ delete $AttachmentData{$Key};
+ }
+ }
+ }
+
$Param{AttachmentOption} = $LayoutObject->BuildSelection(
Data => \%AttachmentData,
Name => 'IDs',
@@ -449,6 +545,7 @@ sub _Overview {
my ( $Self, %Param ) = @_;
my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
+ my $QueueObject = $Kernel::OM->Get('Kernel::System::Queue');
$LayoutObject->Block(
Name => 'Overview',
@@ -483,10 +580,23 @@ sub _Overview {
# get valid list
my %ValidList = $Kernel::OM->Get('Kernel::System::Valid')->ValidList();
+ ID:
for my $ID ( sort { $ListGet{$a}->{SortName} cmp $ListGet{$b}->{SortName} } keys %ListGet )
{
my %Data = %{ $ListGet{$ID} };
+
+ # check queue permissions of linked templates.
+ if ( $Self->{LightAdmin} ) {
+ my %Queues = $QueueObject->QueueStandardTemplateMemberList( StandardTemplateID => $Data{ID} );
+ $Data{Permission} = $QueueObject->QueueListPermission(
+ QueueIDs => [ keys %Queues ],
+ UserID => $Self->{UserID},
+ Default => 'rw',
+ );
+ next ID if !$Data{Permission};
+ }
+
my @SelectedAttachment;
my %SelectedAttachmentData = $Kernel::OM->Get('Kernel::System::StdAttachment')->StdAttachmentStandardTemplateMemberList(
StandardTemplateID => $ID,
diff --git a/Kernel/Modules/AdminTemplateAttachment.pm b/Kernel/Modules/AdminTemplateAttachment.pm
index 9226c06edf..1f44fb9eb3 100644
--- a/Kernel/Modules/AdminTemplateAttachment.pm
+++ b/Kernel/Modules/AdminTemplateAttachment.pm
@@ -30,6 +30,10 @@ sub new {
my $Self = {%Param};
bless( $Self, $Type );
+ if ( !$Param{AccessRw} && $Param{AccessRo} ) {
+ $Self->{LightAdmin} = 1;
+ }
+
return $Self;
}
@@ -40,6 +44,7 @@ sub Run {
my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
my $StandardTemplateObject = $Kernel::OM->Get('Kernel::System::StandardTemplate');
my $StdAttachmentObject = $Kernel::OM->Get('Kernel::System::StdAttachment');
+ my $QueueObject = $Kernel::OM->Get('Kernel::System::Queue');
# ------------------------------------------------------------ #
# template <-> attachment 1:n
@@ -59,6 +64,34 @@ sub Run {
StandardTemplateID => $ID,
);
+ if ( $Self->{LightAdmin} ) {
+
+ # Filter out attachments without permission.
+ if (%StdAttachmentData) {
+ for my $StdAttachmentID ( sort keys %StdAttachmentData ) {
+ my $Permission = $StdAttachmentObject->StdAttachmentStandardTemplatePermission(
+ ID => $StdAttachmentID,
+ UserID => $Self->{UserID},
+ );
+ if ( $Permission ne 'rw' ) {
+ delete $StdAttachmentData{$StdAttachmentID};
+ }
+ }
+ }
+
+ my %Queues = $QueueObject->QueueStandardTemplateMemberList( StandardTemplateID => $ID );
+ my $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => [ keys %Queues ],
+ UserID => $Self->{UserID},
+ Default => 'rw',
+ );
+
+ if ( $Permission ne 'rw' ) {
+ undef %StandardTemplateData;
+ undef %Member;
+ }
+ }
+
my $Output = $LayoutObject->Header();
$Output .= $LayoutObject->NavigationBar();
$Output .= $Self->_Change(
@@ -101,6 +134,32 @@ sub Run {
AttachmentID => $ID,
);
+ if ( $Self->{LightAdmin} ) {
+
+ # Filter out templates without permission.
+ for my $StandardTemplateID ( keys %StandardTemplateData ) {
+ my %Queues = $QueueObject->QueueStandardTemplateMemberList( StandardTemplateID => $StandardTemplateID );
+ my $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => [ keys %Queues ],
+ UserID => $Self->{UserID},
+ Default => 'rw',
+ );
+ if ( $Permission ne 'rw' ) {
+ delete $StandardTemplateData{$StandardTemplateID};
+ }
+ }
+
+ # Check the permission.
+ my $Permission = $StdAttachmentObject->StdAttachmentStandardTemplatePermission(
+ ID => $ID,
+ UserID => $Self->{UserID},
+ );
+ if ( $Permission ne 'rw' ) {
+ undef %StdAttachmentData;
+ undef %Member;
+ }
+ }
+
my $Output = $LayoutObject->Header();
$Output .= $LayoutObject->NavigationBar();
$Output .= $Self->_Change(
@@ -304,6 +363,7 @@ sub _Overview {
my ( $Self, %Param ) = @_;
my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
+ my $QueueObject = $Kernel::OM->Get('Kernel::System::Queue');
$LayoutObject->Block(
Name => 'Overview',
@@ -322,6 +382,19 @@ sub _Overview {
my %StandardTemplateData = $StandardTemplateObject->StandardTemplateList(
Valid => 1,
);
+ if ( $Self->{LightAdmin} && %StandardTemplateData ) {
+ for my $StandardTemplateID ( sort keys %StandardTemplateData ) {
+ my %Queues = $QueueObject->QueueStandardTemplateMemberList( StandardTemplateID => $StandardTemplateID );
+ my $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => [ keys %Queues ],
+ UserID => $Self->{UserID},
+ Default => 'rw',
+ );
+ if ( $Permission ne 'rw' ) {
+ delete $StandardTemplateData{$StandardTemplateID};
+ }
+ }
+ }
# if there are any templates, they are shown
if (%StandardTemplateData) {
@@ -360,6 +433,17 @@ sub _Overview {
# get queue data
my %StdAttachmentData = $Kernel::OM->Get('Kernel::System::StdAttachment')->StdAttachmentList( Valid => 1 );
+ if ( $Self->{LightAdmin} && %StdAttachmentData ) {
+ for my $StdAttachmentID ( sort keys %StdAttachmentData ) {
+ my $Permission = $Kernel::OM->Get('Kernel::System::StdAttachment')->StdAttachmentStandardTemplatePermission(
+ ID => $StdAttachmentID,
+ UserID => $Self->{UserID},
+ );
+ if ( $Permission ne 'rw' ) {
+ delete $StdAttachmentData{$StdAttachmentID};
+ }
+ }
+ }
# if there are any attachments, they are shown
if (%StdAttachmentData) {
diff --git a/Kernel/Output/HTML/Templates/Standard/AdminAttachment.tt b/Kernel/Output/HTML/Templates/Standard/AdminAttachment.tt
index 9248fbaedb..7cb8eac14a 100644
--- a/Kernel/Output/HTML/Templates/Standard/AdminAttachment.tt
+++ b/Kernel/Output/HTML/Templates/Standard/AdminAttachment.tt
@@ -116,10 +116,12 @@
| [% Data.ChangeTime | Localize("TimeShort") %] |
[% Data.CreateTime | Localize("TimeShort") %] |
+ [% IF Data.Permission != 'ro' %]
[% Translate("Delete this attachment") | html %]
+ [% END %]
|
[% RenderBlockEnd("OverviewResultRow") %]
@@ -201,7 +203,7 @@
-
+ [% IF Data.Permission != 'ro' %]
diff --git a/Kernel/Output/HTML/Templates/Standard/AdminNotificationEvent.tt b/Kernel/Output/HTML/Templates/Standard/AdminNotificationEvent.tt
index e4c7f56d74..93ce10d11e 100644
--- a/Kernel/Output/HTML/Templates/Standard/AdminNotificationEvent.tt
+++ b/Kernel/Output/HTML/Templates/Standard/AdminNotificationEvent.tt
@@ -144,6 +144,7 @@
[% Translate(Data.Valid) | html %] |
[% Data.ChangeTime | Localize("TimeShort") %] |
[% Data.CreateTime | Localize("TimeShort") %] |
+ [% IF Data.Permission != 'ro' %]
[% Translate("Export") | html %] |
[% Translate("Copy") | html %] |
@@ -151,6 +152,11 @@
|
+ [% ELSE %]
+ |
+ |
+ |
+ [% END %]
[% RenderBlockEnd("OverviewResultRow") %]
@@ -287,11 +293,24 @@
+ [% IF Data.LightAdmin %]
+
+
+ [% Data.QueuesStrg %]
+
+
[% Data.QueuesStrg %]
+ [% END %]
@@ -656,7 +675,7 @@
-
+ [% IF Data.Permission != 'ro' %]
-
+ [% END %]
[% RenderBlockEnd("OverviewResultRow") %]
@@ -221,6 +223,7 @@
+ [% IF Data.Permission != 'ro' %]
+ [% END %]
diff --git a/Kernel/System/Queue.pm b/Kernel/System/Queue.pm
index 0baf63a478..e31fd7b2a0 100644
--- a/Kernel/System/Queue.pm
+++ b/Kernel/System/Queue.pm
@@ -19,7 +19,8 @@ package Kernel::System::Queue;
use strict;
use warnings;
-use parent qw(Kernel::System::EventHandler);
+use parent qw(Kernel::System::EventHandler);
+use Kernel::System::VariableCheck qw(IsArrayRefWithData);
our @ObjectDependencies = (
'Kernel::Config',
@@ -1418,4 +1419,76 @@ sub NameExistsCheck {
return 0;
}
+=for stopwords ro rw !qux
+
+=head2 QueueListPermission()
+
+Get the permission for a list of queues.
+Returns nothing if the user has no 'ro' on any queue, 'ro' if the user has no 'rw' on at least one queue
+and 'rw' if the user has full permission on all queues.
+
+ my $Permission = $QueueObject->QueueListPermission(
+ QueueIDs => \@QueueIDs, # optional
+ UserID => $Param{UserID},
+ Default => 'rw', # (optional) default 'ro' (ro|rw) fallback permission if no queues given
+ );
+
+=cut
+
+sub QueueListPermission {
+ my ( $Self, %Param ) = @_;
+
+ # Check needed stuff.
+ if ( !$Param{UserID} ) {
+ $Kernel::OM->Get('Kernel::System::Log')->Log(
+ Priority => 'error',
+ Message => 'Need UserID!',
+ );
+ return;
+ }
+
+ my %RoQueues = $Self->GetAllQueues( UserID => $Param{UserID} );
+ my %RwQueues = $Self->GetAllQueues(
+ UserID => $Param{UserID},
+ Type => 'rw',
+ );
+
+ # 'ro' is the default permission if no queue is given and parameter 'Default' is not set.
+ my $DefaultPermission = $Param{Default} || 'ro';
+
+ return $DefaultPermission if !IsArrayRefWithData( $Param{QueueIDs} );
+
+ # final permission is rw or '' if all are of that kind, else ro
+ my $Permission;
+ QUEUE:
+ for my $QueueID ( @{ $Param{QueueIDs} } ) {
+ if ( !defined $Permission ) {
+ if ( $RwQueues{$QueueID} ) {
+ $Permission = 'rw';
+ }
+ elsif ( $RoQueues{$QueueID} ) {
+ $Permission = 'ro';
+ last QUEUE;
+ }
+ else {
+ $Permission = '';
+ }
+ }
+
+ elsif ( $Permission eq '' ) {
+ if ( $RwQueues{$QueueID} || $RwQueues{$QueueID} ) {
+ $Permission = 'ro';
+ last QUEUE;
+ }
+ }
+
+ elsif ( !$RwQueues{$QueueID} ) {
+ $Permission = 'ro';
+ last QUEUE;
+ }
+ }
+
+ return $Permission;
+}
+
1;
diff --git a/Kernel/System/StdAttachment.pm b/Kernel/System/StdAttachment.pm
index 0d765e7b9e..abb3e9595c 100644
--- a/Kernel/System/StdAttachment.pm
+++ b/Kernel/System/StdAttachment.pm
@@ -31,6 +31,7 @@ our @ObjectDependencies = (
'Kernel::System::DB',
'Kernel::System::Encode',
'Kernel::System::Log',
+ 'Kernel::System::Queue',
'Kernel::System::Valid',
);
@@ -659,4 +660,67 @@ sub StdAttachmentStandardTemplateMemberList {
return %Data;
}
+=for stopwords ro rw !qux
+
+=head2 StdAttachmentStandardTemplatePermission()
+
+Get the lowest permission level of all linked queues (attachment->template->queue).
+Returns nothing if the user has no 'ro' on at least one linked queue, 'ro' if the user has no 'rw' on
+at least one linked queue and 'rw' if the user has full permission on all queues or no link exists at all.
+
+ my $Permission = $StdAttachmentObject->StdAttachmentStandardTemplatePermission(
+ ID => $AttachmentID,
+ UserID => $Param{UserID},
+ Default => 'ro', # (optional) lowest permission level
+ );
+
+=cut
+
+sub StdAttachmentStandardTemplatePermission {
+ my ( $Self, %Param ) = @_;
+
+ # Check needed stuff.
+ for my $Needed (qw(ID UserID)) {
+ if ( !$Param{$Needed} ) {
+ $Kernel::OM->Get('Kernel::System::Log')->Log(
+ Priority => 'error',
+ Message => "Need $Needed!",
+ );
+ return;
+ }
+ }
+
+ my $QueueObject = $Kernel::OM->Get('Kernel::System::Queue');
+
+ # Get all linked templates.
+ my %TemplateList = $Self->StdAttachmentStandardTemplateMemberList( AttachmentID => $Param{ID} );
+
+ # 'rw' is the default permission on not linked attachments.
+ return 'rw' if !%TemplateList;
+
+ my $Permission;
+
+ for my $TemplateID ( keys %TemplateList ) {
+
+ # Get all queues linked with the template.
+ my %Queues = $QueueObject->QueueStandardTemplateMemberList( StandardTemplateID => $TemplateID );
+ my $TemplatePermission = $QueueObject->QueueListPermission(
+ QueueIDs => [ keys %Queues ],
+ UserID => $Param{UserID},
+ Default => 'rw',
+ );
+
+ if ( !defined $Permission ) {
+ $Permission = $TemplatePermission // '';
+
+ return 'ro' if $Permission eq 'ro';
+ }
+ elsif ( $Permission ne $TemplatePermission ) {
+ return 'ro';
+ }
+ }
+
+ return $Permission;
+}
+
1;