[rt-users] Can't revoke a right; skip cleaning up invalid delegations?
Kevin Falcone
falcone at bestpractical.com
Mon Sep 12 11:32:17 EDT 2011
On Sat, Sep 10, 2011 at 01:09:51AM -0500, Jason L Tibbitts III wrote:
> My 'Privileged' group has been assigned 'DelegateRights' and
> 'SuperUser'. This bonehead move went unnoticed as originally only two
> people used the system for a single queue, but now lots of others want
> to use the system and of course everybody can do and see anything.
>
> Attempting to remove either of those privileges results an error 'Right
> could not be revoked'. The following is logged in the httpd/error_log:
You should give rt-validator a try before removing code.
Also, we've removed Delegations in RT4 which greatly simplified this
codepath.
-kevin
> [warning]: User not loaded. (/usr/share/perl5/RT/User_Overlay.pm:1555)
>
> Now, I note that the above error comes from the
> _CleanupInvalidDelegations function. The two privileges are special due
> to this code in ACE_Overlay.pm:
>
> # If we're revoking delegation rights (see above), we may need to
> # revoke all rights delegated by the recipient.
> if ($val and ($self->RightName() eq 'DelegateRights' or
> $self->RightName() eq 'SuperUser')) {
> $val = $self->PrincipalObj->_CleanupInvalidDelegations( InsideTransaction => 1 );
> }
>
> _CleanupInvalidDelegations simply bails immediately because $self->Id
> isn't set:
>
> unless ( $self->Id ) {
> $RT::Logger->warning("User not loaded.");
> return (undef);
> }
>
> I'm honestly not sure how this is supposed to work; I haven't unraveled
> enough of the code to figure it all out. How could Id not be set there?
>
> Now, I get that revoking someone's superuser access should undo any
> privileges those people happened to grant. But I really just want a way
> out of the current situation, and can go through the users one by one
> and remove things manually if indeed that actually happened.
>
> So, a couple of questions:
>
> Has anyone actually found a solution to this issue? I see it asked
> several times in the list archives but I could find no solution.
>
> What would actually blow up if I just commented out the call to
> _CleanupInvalidDelegations? Will the delegations somehow make the
> system explode, or is this just something that's suppose to ensure that
> nobody has superuser access who shouldn't? I don't think a few invalid
> delegations are a problem for my use case, though I guess if I could
> find them I could just clean them up manually.
>
> Any tips, hints, or (of course) outright solutions would be great.
>
> Oh, I'm running 3.8.8+patches currently. I could bump to 3.8.10 if
> anyone thinks it would help.
>
> - J<
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> * Chicago, IL, USA September 26 & 27, 2011
> * San Francisco, CA, USA October 18 & 19, 2011
> * Washington DC, USA October 31 & November 1, 2011
> * Melbourne VIC, Australia November 28 & 29, 2011
> * Barcelona, Spain November 28 & 29, 2011
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110912/4bca5044/attachment.sig>
More information about the rt-users
mailing list