[rt-users] Handful of users showing up in owner dropdown but have no access
Mike Johnson
mike.johnson at nosm.ca
Wed Oct 15 11:56:38 EDT 2014
I did that query and it returned 26 rows.
All of the returned rows say the PrinicpalType is Group, which I would
assume means the 'OwnTicket' right is not granted to a specific user
anywhere in RT.
I didn't want to make that assumption, just in case it was incorrect, so I
took a look at the data schema for 3.8.10, which I believe is here:
http://bestpractical.com/rt/3.4-schema.png (note** My SQL skills are
extremely rusty... been working in a Unidata database for 13-14 yrs)
It looks like ACL.PrincipalId is a foreign key to Principals, and id is the
primary key for Principals and Users?
With that scenario, I ran a query linking them all together and attempting
to return user info for any of the 26 rows from the original query. No user
info is returned for any of them (query used below)
mysql> select p.id,p.PrincipalType,u.Name,u.EmailAddress,u.RealName
-> from Principals p
-> left join ACL a on a.PrincipalId = p.id
-> left join Users u on u.id = p.id
-> where a.RightName='OwnTicket';
Just for a wild attempt at getting what I was expecting based on Kevin's
response (I wanted to see 5 users that had the 'OwnTicket' right) I tried
switching to ACL.id as a foreign key. It returned only 9 rows, only 2 of
which were users, but neither were the users that are showing up in the
Owner dropdown that shouldn't be. I believe this was just chance, garbage
data, as I believe the first query showed the real results, but I was
fishing...
With this information I did some more investigating to understand the
symptom better. It looks like these users only show up in the owner
dropdown of Queues that existed prior to our upgrade from 3.2.1 -> 3.8.10.
Could there have been something missed in this upgrade?
Thanks!
Mike.
On Tue, Oct 14, 2014 at 12:56 PM, Kevin Falcone <falcone at bestpractical.com>
wrote:
> On Fri, Oct 10, 2014 at 01:47:59PM -0400, Mike Johnson wrote:
> > I look at the list of owners for a queue, and there are 5 users that
> show up in
> > that list(that shouldn't be there), but when I go to their account, they
> aren't
> > part of any groups, and they don't have any rights assigned to them
> > specifically that I can see(at the user level, or at any queue level).
>
> Generally this means some queue granted OwnTicket to Unprivileged,
> check all your queues, even your disabled ones. Alternately, select *
> from ACL where RightName = 'OwnTicket' and work the other way.
>
> RT 4.2 explicitly excludes Unprivileged users from the OwnTicket
> dropdown because of this someone common mistake.
>
> -kevin
>
> --
> RT Training November 4 & 5 Los Angeles
> http://bestpractical.com/training
>
>
--
Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson at nosm.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20141015/4e017ebf/attachment.htm>
More information about the rt-users
mailing list