Core/RBAC: Add default groups to accounts based on their security level.

- Removed config option RBAC.DefaultGroups

Use the table rbac_security_level_groups to configure the groups to be added to the account at load time.

Note: Those groups are only used at run time, never saved to DB

src/server/game/Accounts/AccountMgr.cpp

@@ -56,19 +56,8 @@ AccountOpResult AccountMgr::CreateAccount(std::string username, std::string pass
     LoginDatabase.DirectExecute(stmt); // Enforce saving, otherwise AddGroup can fail
 
     stmt = LoginDatabase.GetPreparedStatement(LOGIN_INS_REALM_CHARACTERS_INIT);
-
     LoginDatabase.Execute(stmt);
 
-    // Add default rbac groups for that security level
-    rbac::RBACData* rbac = new rbac::RBACData(GetId(username), username, -1);
-    // No need to Load From DB, as it's new data
-
-    rbac::RBACGroupContainer const& groupsToAdd = _defaultSecGroups[0]; // 0: Default sec level
-    for (rbac::RBACGroupContainer::const_iterator it = groupsToAdd.begin(); it != groupsToAdd.end(); ++it)
-        rbac->AddGroup(*it, -1);
-
-    delete rbac;
-
     return AOR_OK;                                          // everything's fine
 }
 
@@ -403,7 +392,7 @@ void AccountMgr::LoadRBAC()
 {
     ClearRBAC();
 
-    TC_LOG_INFO(LOG_FILTER_RBAC, "AccountMgr::LoadRBAC");
+    TC_LOG_INFO(LOG_FILTER_SERVER_LOADING, "AccountMgr::LoadRBAC");
     uint32 oldMSTime = getMSTime();
     uint32 count1 = 0;
     uint32 count2 = 0;
@@ -413,7 +402,7 @@ void AccountMgr::LoadRBAC()
     QueryResult result = LoginDatabase.Query("SELECT id, name FROM rbac_permissions");
     if (!result)
     {
-        TC_LOG_INFO(LOG_FILTER_SQL, ">> Loaded 0 account permission definitions. DB table `rbac_permissions` is empty.");
+        TC_LOG_INFO(LOG_FILTER_SERVER_LOADING, ">> Loaded 0 account permission definitions. DB table `rbac_permissions` is empty.");
         return;
     }
 
@@ -430,7 +419,7 @@ void AccountMgr::LoadRBAC()
     result = LoginDatabase.Query("SELECT id, name FROM rbac_roles");
     if (!result)
     {
-        TC_LOG_INFO(LOG_FILTER_SQL, ">> Loaded 0 account role definitions. DB table `rbac_roles` is empty.");
+        TC_LOG_INFO(LOG_FILTER_SERVER_LOADING, ">> Loaded 0 account role definitions. DB table `rbac_roles` is empty.");
         return;
     }
 
@@ -447,7 +436,7 @@ void AccountMgr::LoadRBAC()
     result = LoginDatabase.Query("SELECT roleId, permissionId FROM rbac_role_permissions");
     if (!result)
     {
-        TC_LOG_INFO(LOG_FILTER_SQL, ">> Loaded 0 account role-permission definitions. DB table `rbac_role_permissions` is empty.");
+        TC_LOG_INFO(LOG_FILTER_SERVER_LOADING, ">> Loaded 0 account role-permission definitions. DB table `rbac_role_permissions` is empty.");
         return;
     }
 
@@ -464,7 +453,7 @@ void AccountMgr::LoadRBAC()
     result = LoginDatabase.Query("SELECT id, name FROM rbac_groups");
     if (!result)
     {
-        TC_LOG_INFO(LOG_FILTER_SQL, ">> Loaded 0 account group definitions. DB table `rbac_groups` is empty.");
+        TC_LOG_INFO(LOG_FILTER_SERVER_LOADING, ">> Loaded 0 account group definitions. DB table `rbac_groups` is empty.");
         return;
     }
 
@@ -481,7 +470,7 @@ void AccountMgr::LoadRBAC()
     result = LoginDatabase.Query("SELECT groupId, roleId FROM rbac_group_roles");
     if (!result)
     {
-        TC_LOG_INFO(LOG_FILTER_SQL, ">> Loaded 0 account group-role definitions. DB table `rbac_group_roles` is empty.");
+        TC_LOG_INFO(LOG_FILTER_SERVER_LOADING, ">> Loaded 0 account group-role definitions. DB table `rbac_group_roles` is empty.");
         return;
     }
 
@@ -498,7 +487,7 @@ void AccountMgr::LoadRBAC()
     result = LoginDatabase.Query("SELECT secId, groupId FROM rbac_security_level_groups ORDER by secId ASC");
     if (!result)
     {
-        TC_LOG_INFO(LOG_FILTER_SQL, ">> Loaded 0 account default groups for security levels definitions. DB table `rbac_security_level_groups` is empty.");
+        TC_LOG_INFO(LOG_FILTER_SERVER_LOADING, ">> Loaded 0 account default groups for security levels definitions. DB table `rbac_security_level_groups` is empty.");
         return;
     }
 
@@ -517,54 +506,12 @@ void AccountMgr::LoadRBAC()
     while (result->NextRow());
 
     TC_LOG_INFO(LOG_FILTER_SERVER_LOADING, ">> Loaded %u permission definitions, %u role definitions and %u group definitions in %u ms", count1, count2, count3, GetMSTimeDiffToNow(oldMSTime));
-
-    TC_LOG_DEBUG(LOG_FILTER_RBAC, "AccountMgr::LoadRBAC: Loading default groups");
-    // Load default groups to be added to any RBAC Object.
-    std::string defaultGroups = sConfigMgr->GetStringDefault("RBAC.DefaultGroups", "");
-    Tokenizer tokens(defaultGroups, ',');
-    for (Tokenizer::const_iterator itr = tokens.begin(); itr != tokens.end(); ++itr)
-        if (uint32 groupId = atoi(*itr))
-            _defaultGroups.insert(groupId);
 }
 
 void AccountMgr::UpdateAccountAccess(rbac::RBACData* rbac, uint32 accountId, uint8 securityLevel, int32 realmId)
 {
-    int32 serverRealmId = realmId != -1 ? realmId : sConfigMgr->GetIntDefault("RealmID", 0);
-    bool needDelete = false;
-    if (!rbac)
-    {
-        needDelete = true;
-        rbac = new rbac::RBACData(accountId, "", serverRealmId);
-        rbac->LoadFromDB();
-    }
-
-    // Get max security level and realm (checking current realm and -1)
-    PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_ACCOUNT_ACCESS_BY_ID);
-    stmt->setUInt32(0, accountId);
-    stmt->setInt32(1, serverRealmId);
-    PreparedQueryResult result = LoginDatabase.Query(stmt);
-    if (result)
-    {
-        do
-        {
-            Field* field = result->Fetch();
-            uint8 secLevel = field[0].GetUInt8();
-            int32 realmId = field[1].GetUInt32();
-
-            rbac::RBACGroupContainer const& groupsToRemove = _defaultSecGroups[secLevel];
-            for (rbac::RBACGroupContainer::const_iterator it = groupsToRemove.begin(); it != groupsToRemove.end(); ++it)
-                rbac->RemoveGroup(*it, realmId);
-        }
-        while (result->NextRow());
-    }
-
-    // Add new groups depending on the new security Level
-    rbac::RBACGroupContainer const& groupsToAdd = _defaultSecGroups[securityLevel];
-    for (rbac::RBACGroupContainer::const_iterator it = groupsToAdd.begin(); it != groupsToAdd.end(); ++it)
-        rbac->AddGroup(*it, realmId);
-
-    if (needDelete)
-        delete rbac;
+    if (rbac)
+        rbac->SetSecurityLevel(securityLevel);
 
     // Delete old security level from DB
     if (realmId == -1)
@@ -653,6 +600,5 @@ void AccountMgr::ClearRBAC()
     _permissions.clear();
     _roles.clear();
     _groups.clear();
-    _defaultGroups.clear();
     _defaultSecGroups.clear();
 }

src/server/game/Accounts/AccountMgr.h

@@ -93,15 +93,14 @@ class AccountMgr
         rbac::RBACGroupsContainer const& GetRBACGroupList() const { return _groups; }
         rbac::RBACRolesContainer const& GetRBACRoleList() const { return _roles; }
         rbac::RBACPermissionsContainer const& GetRBACPermissionList() const { return _permissions; }
-        rbac::RBACGroupContainer const& GetRBACDefaultGroups() const { return _defaultGroups; }
+        rbac::RBACGroupContainer const& GetRBACDefaultGroups(uint8 secLevel) { return _defaultSecGroups[secLevel]; }
 
     private:
         void ClearRBAC();
         rbac::RBACPermissionsContainer _permissions;
         rbac::RBACRolesContainer _roles;
         rbac::RBACGroupsContainer _groups;
         rbac::RBACDefaultSecurityGroupContainer _defaultSecGroups;
-        rbac::RBACGroupContainer _defaultGroups;
 };
 
 #define sAccountMgr ACE_Singleton<AccountMgr, ACE_Null_Mutex>::instance()

src/server/game/Accounts/RBAC.cpp

@@ -390,6 +390,8 @@ RBACCommandResult RBACData::RevokePermission(uint32 permissionId, int32 realmId
 
 void RBACData::LoadFromDB()
 {
+    ClearData();
+
     TC_LOG_INFO(LOG_FILTER_RBAC, "RBACData::LoadFromDB [Id: %u Name: %s]", GetId(), GetName().c_str());
     TC_LOG_DEBUG(LOG_FILTER_RBAC, "RBACData::LoadFromDB [Id: %u Name: %s]: Loading groups", GetId(), GetName().c_str());
 
@@ -451,7 +453,7 @@ void RBACData::LoadFromDB()
 
     TC_LOG_DEBUG(LOG_FILTER_RBAC, "RBACData::LoadFromDB [Id: %u Name: %s]: Adding default groups", GetId(), GetName().c_str());
     // Add default groups
-    RBACGroupContainer const& groups = sAccountMgr->GetRBACDefaultGroups();
+    RBACGroupContainer const& groups = sAccountMgr->GetRBACDefaultGroups(GetSecurityLevel());
     for (RBACGroupContainer::const_iterator itr = groups.begin(); itr != groups.end(); ++itr)
         AddGroup(*itr);
 
@@ -496,4 +498,14 @@ void RBACData::CalculateNewPermissions()
            _globalPerms &= ~role->GetPermissions();
 }
 
+void RBACData::ClearData()
+{
+    _groups.clear();
+    _grantedRoles.clear();
+    _deniedRoles.clear();
+    _grantedPerms.reset();
+    _deniedPerms.reset();
+    _globalPerms.reset();
+}
+
 }

src/server/game/Accounts/RBAC.h

@@ -780,8 +780,8 @@ class RBACGroup: public RBACObject
 class RBACData: public RBACObject
 {
     public:
-        RBACData(uint32 id, std::string const& name, int32 realmId):
-            RBACObject(id, name), _realmId(realmId) { }
+        RBACData(uint32 id, std::string const& name, int32 realmId, uint8 secLevel = 0):
+            RBACObject(id, name), _realmId(realmId), _secLevel(secLevel) { }
 
         /**
          * @name HasPermission
@@ -1005,11 +1005,23 @@ class RBACData: public RBACObject
 
         /// Loads all permissions, groups and roles assigned to current account
         void LoadFromDB();
+
+        /// Sets security level
+        void SetSecurityLevel(uint8 id)
+        {
+            _secLevel = id;
+            LoadFromDB();
+        }
+
+        /// Returns the security level assigned
+        uint8 GetSecurityLevel() const { return _secLevel; }
     private:
         /// Saves a role to DB, Granted or Denied
         void SaveRole(uint32 role, bool granted, int32 realm);
         /// Saves a permission to DB, Granted or Denied
         void SavePermission(uint32 role, bool granted, int32 realm);
+        /// Clears roles, groups and permissions - Used for reload
+        void ClearData();
 
         /**
          * @name CalculateNewPermissions
@@ -1025,6 +1037,7 @@ class RBACData: public RBACObject
         int32 GetRealmId() { return _realmId; }
 
         int32 _realmId;                                    ///> RealmId Affected
+        uint8 _secLevel;                                   ///> Account SecurityLevel
         RBACGroupContainer _groups;                        ///> Granted groups
         RBACRoleContainer _grantedRoles;                   ///> Granted roles
         RBACRoleContainer _deniedRoles;                    ///> Denied roles

src/server/game/Server/WorldSession.cpp

@@ -1189,12 +1189,13 @@ void WorldSession::LoadPermissions()
     uint32 id = GetAccountId();
     std::string name;
     AccountMgr::GetName(id, name);
+    uint8 secLevel = GetSecurity();
 
-    _RBACData = new rbac::RBACData(id, name, realmID);
+    _RBACData = new rbac::RBACData(id, name, realmID, secLevel);
     _RBACData->LoadFromDB();
 
-    TC_LOG_DEBUG(LOG_FILTER_RBAC, "WorldSession::LoadPermissions [AccountId: %u, Name: %s, realmId: %d]",
-                   id, name.c_str(), realmID);
+    TC_LOG_DEBUG(LOG_FILTER_RBAC, "WorldSession::LoadPermissions [AccountId: %u, Name: %s, realmId: %d, secLevel: %u]",
+                   id, name.c_str(), realmID, secLevel);
 }
 
 rbac::RBACData* WorldSession::GetRBACData()

src/server/worldserver/worldserver.conf.dist

@@ -1130,14 +1130,6 @@ DBC.EnforceItemAttributes = 1
 
 AccountInstancesPerHour = 5
 
-#
-#   RBAC.DefaultGroups
-#        Description: Comma separated list of groups to be added to any account
-#                     Check auth.rbac_groups for correct ids
-#        Default:     "" (No group)
-
-RBAC.DefaultGroups = ""
-
 #
 #   Account.PasswordChangeSecurity
 #        Description: Controls how secure the password changes are.