[rt-users] ExecuteCode by Queue AdminCc groups on RT::System

Kevin Falcone falcone at bestpractical.com
Wed Dec 18 11:39:02 EST 2013


On Tue, Dec 17, 2013 at 11:00:35PM +0100, Kai Storbeck wrote:
> My production system contains a few ACL's that do not dump correctly
> using rt-dump-metadata. They end up multiple times in our dump as:
> 
>       {
>          "Right" : "ExecuteCode",
>          "GroupDomain" : "RT::System-Role",
>          "GroupType" : "AdminCc"
>       },
> 
> (In JSON for readability)
> 
> These are in reality applied to the AdminCC group principal of queues.
> 
> What is the bug here?
> 
> Is it that I should be able to see such a right in the Global rights
> page, or should the right not have been granted since the upgrade step
> (3.9.1 iirc)?
> (It is a bit of a weird delegation of rights, but a few of our AdminCc
> groups have indeed the right to edit templates).

Looking briefly in the ACL dumping code, it says this:

    elsif ( /^RT::Group$/ ) {
        # No support for RT::Group ACLs in RT::Handle yet.
        next OBJECT;
    }

which implies to me that it has no idea how to handle your rights.

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 235 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20131218/1c6f2df7/attachment.pgp>


More information about the rt-users mailing list