[rt-users] Bug with rights granted to roles. (RT#8071)

Phil Dibowitz phil at ticketmaster.com
Wed Dec 13 15:36:44 EST 2006


Hey folks,

I opened RT 8071 (http://rt3.fsck.com/Ticket/Display.html?id=8071) for this,
but I wanted to jump on the list and see if anyone can help me debug further
or offer any other help.

After an upgrade from 3.0.8 to 3.6.1, rights granted to roles (in this case
AdminCC, done globally), don't work.

I picked one specific access and followed it through the code...
ModifyCustomFields.

I modified Principal_Overlay.pm to print out the SQL query, and it's:

SELECT ACL.id from ACL, Groups, Principals, CachedGroupMembers WHERE
(ACL.RightName = 'SuperUser' OR ACL.RightName = 'ModifyCustomField') AND
Principals.Disabled = 0 AND CachedGroupMembers.Disabled = 0 AND
Principals.id = Groups.id AND Principals.PrincipalType = 'Group' AND
Principals.id = CachedGroupMembers.GroupId AND CachedGroupMembers.MemberId =
38665 AND ((ACL.ObjectType = 'RT::CustomField' AND ACL.ObjectId = 19) OR
(ACL.ObjectType = 'RT::System')) AND ACL.PrincipalType = Groups.Type AND
((Groups.Domain = 'RT::CustomField-Role' AND Groups.Instance = '19') OR
(Groups.Domain = 'RT::System-Role')) LIMIT 1;

Everyone of those conditions is true... EXCEPT for:

CachedGroupMembers.MemberId = 38665

That query converges on Principals.id 9 (and GroupId 9), but none of the
rows in CachedGroupMembers have a GroupId=9.

I suspect a bug in the updating of that CachedGroupMembers table - but I
can't figure out where.

On a very related note, it turns out that you cannot assign the
ModifyCustomFields permission within a queue to a given group. In other
words, if I go to
Configuration -> Queues -> <some queue> -> Group rights

the ModifyCustomField right isn't in the list for any of the groups! So the
only way I can give people access to modify custom fields at this point is
to give it to people globally rather than at their queue level, which is
fairly problematic.

Any help would be appreciated.

-- 
Phil Dibowitz
P: 310-360-2330 C: 213-923-5115
Unix Admin, Ticketmaster.com

"Never write it in C if you can do it in 'awk';
 Never do it in 'awk' if 'sed' can handle it;
 Never use 'sed' when 'tr' can do the job;
 Never invoke 'tr' when 'cat' is sufficient;
 Avoid using 'cat' whenever possible" -- Taylor's Laws of Programming


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20061213/d1d41d6b/attachment.sig>


More information about the rt-users mailing list