[rt-users] Can't revoke a right; skip cleaning up invalid delegations?

Kevin Falcone falcone at bestpractical.com
Mon Sep 12 11:32:17 EDT 2011 

On Sat, Sep 10, 2011 at 01:09:51AM -0500, Jason L Tibbitts III wrote:
> My 'Privileged' group has been assigned 'DelegateRights' and
> 'SuperUser'.  This bonehead move went unnoticed as originally only two
> people used the system for a single queue, but now lots of others want
> to use the system and of course everybody can do and see anything.
> 
> Attempting to remove either of those privileges results an error 'Right
> could not be revoked'.  The following is logged in the httpd/error_log:

You should give rt-validator a try before removing code.

Also, we've removed Delegations in RT4 which greatly simplified this
codepath.

-kevin

> [warning]: User not loaded. (/usr/share/perl5/RT/User_Overlay.pm:1555)
> 
> Now, I note that the above error comes from the
> _CleanupInvalidDelegations function.  The two privileges are special due
> to this code in ACE_Overlay.pm:
> 
>     # If we're revoking delegation rights (see above), we may need to
>     # revoke all rights delegated by the recipient.
>     if ($val and ($self->RightName() eq 'DelegateRights' or
>                   $self->RightName() eq 'SuperUser')) {
>         $val = $self->PrincipalObj->_CleanupInvalidDelegations( InsideTransaction => 1 );
>     }
> 
> _CleanupInvalidDelegations simply bails immediately because $self->Id
> isn't set:
> 
>     unless ( $self->Id ) {
>     $RT::Logger->warning("User not loaded.");
>     return (undef);
>     }
> 
> I'm honestly not sure how this is supposed to work; I haven't unraveled
> enough of the code to figure it all out.  How could Id not be set there?
> 
> Now, I get that revoking someone's superuser access should undo any
> privileges those people happened to grant.  But I really just want a way
> out of the current situation, and can go through the users one by one
> and remove things manually if indeed that actually happened.
> 
> So, a couple of questions:
> 
> Has anyone actually found a solution to this issue?  I see it asked
> several times in the list archives but I could find no solution.
> 
> What would actually blow up if I just commented out the call to
> _CleanupInvalidDelegations?  Will the delegations somehow make the
> system explode, or is this just something that's suppose to ensure that
> nobody has superuser access who shouldn't?  I don't think a few invalid
> delegations are a problem for my use case, though I guess if I could
> find them I could just clean them up manually.
> 
> Any tips, hints, or (of course) outright solutions would be great.
> 
> Oh, I'm running 3.8.8+patches currently.  I could bump to 3.8.10 if
> anyone thinks it would help.
> 
>  - J<
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> *  Chicago, IL, USA  September 26 & 27, 2011
> *  San Francisco, CA, USA  October 18 & 19, 2011
> *  Washington DC, USA  October 31 & November 1, 2011
> *  Melbourne VIC, Australia  November 28 & 29, 2011
> *  Barcelona, Spain  November 28 & 29, 2011
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110912/4bca5044/attachment.sig>

More information about the rt-users mailing list