Merge branch '6.0/filter-components-in-views'

bestpractical · Jan 24, 2025 · 96d02db · 96d02db
2 parents f38879c + e23385c
commit 96d02db
Show file tree

Hide file tree

Showing 27 changed files with 268 additions and 31 deletions.
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
@@ -6511,6 +6511,25 @@ sub GetInvalidFields {
     return @fields;
 }
 
+=head2 LoadComponent $PATH
+
+Takes a mason component path and returns the corresponding L<HTML::Mason::Component> object.
+
+Aborts if it can't be loaded.
+
+=cut
+
+sub LoadComponent {
+    my $path = shift;
+    my $comp;
+    eval { $comp = $m->fetch_comp($path) };
+    if ($@) {
+        RT->Logger->warning("Error loading $path: $@");
+        Abort( loc('Error'), SuppressHeader => 1 );
+    }
+    return $comp;
+}
+
 package RT::Interface::Web;
 RT::Base->_ImportOverlays();
 

diff --git a/share/html/Asset/Elements/EditDates b/share/html/Asset/Elements/EditDates
@@ -62,3 +62,7 @@
 <%args>
 $AssetObj
 </%args>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Asset/Elements/EditPeopleInline b/share/html/Asset/Elements/EditPeopleInline
@@ -90,3 +90,7 @@
 <%ARGS>
 $AssetObj => undef
 </%ARGS>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Asset/Elements/ShowBasics b/share/html/Asset/Elements/ShowBasics
@@ -60,3 +60,7 @@
 <%args>
 $AssetObj
 </%args>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Asset/Elements/ShowDates b/share/html/Asset/Elements/ShowDates
@@ -65,3 +65,7 @@
 <%args>
 $AssetObj
 </%args>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Asset/Elements/ShowPeople b/share/html/Asset/Elements/ShowPeople
@@ -78,3 +78,7 @@ my $CatalogObj = $AssetObj->CatalogObj;
 
 <& /Elements/ShowCustomFields, Object => $AssetObj, Grouping => 'People', Table => 0 &>
 % $m->callback( %ARGS, CallbackName => 'AfterPeople' );
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Asset/Widgets/autohandler b/share/html/Asset/Widgets/autohandler
@@ -0,0 +1,50 @@
+%# BEGIN BPS TAGGED BLOCK {{{
+%#
+%# COPYRIGHT:
+%#
+%# This software is Copyright (c) 1996-2024 Best Practical Solutions, LLC
+%#                                          <[email protected]>
+%#
+%# (Except where explicitly superseded by other copyright notices)
+%#
+%#
+%# LICENSE:
+%#
+%# This work is made available to you under the terms of Version 2 of
+%# the GNU General Public License. A copy of that license should have
+%# been provided with this software, but in any event can be snarfed
+%# from www.gnu.org.
+%#
+%# This work is distributed in the hope that it will be useful, but
+%# WITHOUT ANY WARRANTY; without even the implied warranty of
+%# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+%# General Public License for more details.
+%#
+%# You should have received a copy of the GNU General Public License
+%# along with this program; if not, write to the Free Software
+%# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+%# 02110-1301 or visit their web page on the internet at
+%# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
+%#
+%#
+%# CONTRIBUTION SUBMISSION POLICY:
+%#
+%# (The following paragraph is not intended to limit the rights granted
+%# to you to modify and distribute this software under the terms of
+%# the GNU General Public License and is only of importance to you if
+%# you choose to contribute your changes and enhancements to the
+%# community by submitting them to Best Practical Solutions, LLC.)
+%#
+%# By intentionally submitting any modifications, corrections or
+%# derivatives to this work, or any other work intended for use with
+%# Request Tracker, to Best Practical Solutions, LLC, you confirm that
+%# you are the copyright holder for those contributions and you grant
+%# Best Practical Solutions,  LLC a nonexclusive, worldwide, irrevocable,
+%# royalty-free, perpetual, license to use, copy, create derivative
+%# works based on those contributions, and sublicense and distribute
+%# those contributions and any derivatives thereof.
+%#
+%# END BPS TAGGED BLOCK }}}
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Elements/EditCustomFields b/share/html/Elements/EditCustomFields
@@ -112,3 +112,7 @@ $InTable => 0
 $ShowHints => 1
 $ForCreation => 0
 </%ARGS>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Elements/EditLinks b/share/html/Elements/EditLinks
@@ -94,3 +94,7 @@ $Mode => undef
 $Object => undef
 $TwoColumn => 1
 </%ARGS>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Elements/ShowCustomFields b/share/html/Elements/ShowCustomFields
@@ -171,3 +171,7 @@ $HideEmpty => 0
 $LabelCols => 3
 $ValueCols => 9
 </%ARGS>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Elements/ShowLinks b/share/html/Elements/ShowLinks
@@ -138,3 +138,7 @@ if (    $Object->isa("RT::Ticket")
 <%ARGS>
 $Object
 </%ARGS>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Ticket/Elements/EditBasics b/share/html/Ticket/Elements/EditBasics
@@ -204,3 +204,6 @@ for my $field (@fields) {
 </div>
 % }
 
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Ticket/Elements/EditDates b/share/html/Ticket/Elements/EditDates
@@ -111,3 +111,7 @@
 <%ARGS>
 $TicketObj => undef
 </%ARGS>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Ticket/Elements/EditPeopleInline b/share/html/Ticket/Elements/EditPeopleInline
@@ -145,3 +145,7 @@
 <%ARGS>
 $Ticket => undef
 </%ARGS>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Ticket/Elements/Reminders b/share/html/Ticket/Elements/Reminders
@@ -251,3 +251,7 @@ $Index
   </div>
 </div>
 </%method>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Ticket/Elements/ShowAssets b/share/html/Ticket/Elements/ShowAssets
@@ -232,3 +232,7 @@ if ($ShowRelatedTickets) {
 </form>
 
 </&>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Ticket/Elements/ShowBasics b/share/html/Ticket/Elements/ShowBasics
@@ -98,3 +98,7 @@ $UngroupedCFs => 0
 <%init>
 
 </%init>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Ticket/Elements/ShowDates b/share/html/Ticket/Elements/ShowDates
@@ -134,3 +134,7 @@ if ($UpdatedLink and $Ticket) {
     }
 }
 </%INIT>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Ticket/Elements/ShowDependencyStatus b/share/html/Ticket/Elements/ShowDependencyStatus
@@ -78,3 +78,7 @@ my $approvals = $deps->Count || 0;
 
 return unless $depends or $approvals;
 </%init>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Ticket/Elements/ShowDescription b/share/html/Ticket/Elements/ShowDescription
@@ -59,3 +59,7 @@
 <%args>
 $Ticket => undef
 </%args>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Ticket/Elements/ShowPeople b/share/html/Ticket/Elements/ShowPeople
@@ -130,3 +130,7 @@
 <%ARGS>
 $Ticket => undef
 </%ARGS>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Ticket/Elements/ShowRequestor b/share/html/Ticket/Elements/ShowRequestor
@@ -202,3 +202,7 @@ $ShowGroups => 1
 $Title => 'More about [_1]'
 $HTMXLoad => undef
 </%ARGS>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Ticket/Elements/ShowTimes b/share/html/Ticket/Elements/ShowTimes
@@ -104,3 +104,7 @@ if ( $Ticket->CurrentUserCanSeeTime ) {
 $Ticket => undef
 $UngroupedCFs => 0
 </%args>
+
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Ticket/Widgets/autohandler b/share/html/Ticket/Widgets/autohandler
@@ -0,0 +1,50 @@
+%# BEGIN BPS TAGGED BLOCK {{{
+%#
+%# COPYRIGHT:
+%#
+%# This software is Copyright (c) 1996-2024 Best Practical Solutions, LLC
+%#                                          <[email protected]>
+%#
+%# (Except where explicitly superseded by other copyright notices)
+%#
+%#
+%# LICENSE:
+%#
+%# This work is made available to you under the terms of Version 2 of
+%# the GNU General Public License. A copy of that license should have
+%# been provided with this software, but in any event can be snarfed
+%# from www.gnu.org.
+%#
+%# This work is distributed in the hope that it will be useful, but
+%# WITHOUT ANY WARRANTY; without even the implied warranty of
+%# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+%# General Public License for more details.
+%#
+%# You should have received a copy of the GNU General Public License
+%# along with this program; if not, write to the Free Software
+%# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+%# 02110-1301 or visit their web page on the internet at
+%# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
+%#
+%#
+%# CONTRIBUTION SUBMISSION POLICY:
+%#
+%# (The following paragraph is not intended to limit the rights granted
+%# to you to modify and distribute this software under the terms of
+%# the GNU General Public License and is only of importance to you if
+%# you choose to contribute your changes and enhancements to the
+%# community by submitting them to Best Practical Solutions, LLC.)
+%#
+%# By intentionally submitting any modifications, corrections or
+%# derivatives to this work, or any other work intended for use with
+%# Request Tracker, to Best Practical Solutions, LLC, you confirm that
+%# you are the copyright holder for those contributions and you grant
+%# Best Practical Solutions,  LLC a nonexclusive, worldwide, irrevocable,
+%# royalty-free, perpetual, license to use, copy, create derivative
+%# works based on those contributions, and sublicense and distribute
+%# those contributions and any derivatives thereof.
+%#
+%# END BPS TAGGED BLOCK }}}
+<%attr>
+directly_accessible => 1
+</%attr>
diff --git a/share/html/Views/Asset/dhandler b/share/html/Views/Asset/dhandler
@@ -47,8 +47,26 @@
 %# END BPS TAGGED BLOCK }}}
 <%INIT>
 my ($component_name) = $m->dhandler_arg;
-my %extra_args;
 
+my $path;
+if ( $m->comp_exists("/Asset/$component_name") ) {
+    $path = "/Asset/$component_name";
+}
+elsif ( $m->comp_exists("/Asset/Elements/$component_name") ) {
+    $path = "/Asset/Elements/$component_name";
+}
+else {
+    RT->Logger->warning( "Component $component_name does not exist" );
+    Abort( loc('Invalid Path'), SuppressHeader => 1 );
+}
+
+my $comp = LoadComponent($path);
+unless ( $comp->attr_if_exists('directly_accessible') ) {
+    RT->Logger->warning("To load $path in views, it needs to have attr 'directly_accessible' set to 1");
+    Abort( loc('Invalid Path'), SuppressHeader => 1 );
+}
+
+my %extra_args;
 if ( $component_name =~ m{/Create/} ) {
     return unless $Catalog;
     my $catalog = RT::Catalog->new( $session{CurrentUser} );
@@ -72,18 +90,6 @@ else {
     $extra_args{Asset} = $extra_args{AssetObj} = $asset;
 }
 
-my $path;
-if ( $m->comp_exists("/Asset/$component_name") ) {
-    $path = "/Asset/$component_name";
-}
-elsif ( $m->comp_exists("/Asset/Elements/$component_name") ) {
-    $path = "/Asset/Elements/$component_name";
-}
-else {
-    RT->Logger->warning( "Component $component_name does not exist" );
-    Abort( loc('Invalid Path'), SuppressHeader => 1 );
-}
-
 my $out;
 eval { $out = $m->scomp( $path, %ARGS, %extra_args ) };
 if ($@) {

diff --git a/share/html/Views/Component/dhandler b/share/html/Views/Component/dhandler
@@ -49,6 +49,33 @@
 <%init>
 my ($component_name) = $m->dhandler_arg;
 
+my $path;
+if ( $component_name ne 'SavedSearch' ) {
+    if ( $m->comp_exists("/$component_name") ) {
+        $path = "/$component_name";
+    }
+    elsif ( $m->comp_exists("/Elements/$component_name") ) {
+        $path = "/Elements/$component_name";
+    }
+    else {
+        RT->Logger->warning( "Component $component_name does not exist" );
+        Abort( loc('Invalid Path'), SuppressHeader => 1 );
+    }
+
+    my $comp = LoadComponent($path);
+    my @allowed_list = @{ RT->Config->Get('SelfServicePageComponents') || [] };
+    if ( $session{CurrentUser}->Privileged ) {
+        push @allowed_list, @{ RT->Config->Get('HomepageComponents') || [] };
+    }
+
+    unless ( $comp->attr_if_exists('directly_accessible') || grep { $component_name eq $_ } @allowed_list ) {
+        RT->Logger->warning(
+            "To load $path in views, it needs to be in homepage components or have attr 'directly_accessible' set to 1"
+        );
+        Abort( loc('Invalid Path'), SuppressHeader => 1 );
+    }
+}
+
 if ( $component_name eq 'SavedSearch' ) {
     # Put Override args in the correct structure
     $ARGS{Override} = {};
@@ -77,11 +104,7 @@ if ( $component_name eq 'SavedSearch' ) {
     eval { $out = $m->scomp( "/Elements/ShowSearch", %ARGS ) };
 }
 else {
-    unless ( $m->comp_exists("/Elements/$component_name") ) {
-        RT->Logger->warning("Component $component_name does not exist");
-        Abort( loc('Invalid Path'), SuppressHeader => 1 );
-    }
-    eval { $out = $m->scomp( "/Elements/$component_name", %ARGS ) };
+    eval { $out = $m->scomp( $path, %ARGS ) };
 }
 
 if ($@) {
-Original file line number
+Diff line change
@@ Expand Up / @@ -204,3 +204,6 @@ for my $field (@fields) { @@
     </div>
     % }
+    <%attr>
+    directly_accessible => 1
+    </%attr>