[rt-users] ExecuteCode by Queue AdminCc groups on RT::System
Kevin Falcone
falcone at bestpractical.com
Wed Dec 18 11:39:02 EST 2013
On Tue, Dec 17, 2013 at 11:00:35PM +0100, Kai Storbeck wrote:
> My production system contains a few ACL's that do not dump correctly
> using rt-dump-metadata. They end up multiple times in our dump as:
>
> {
> "Right" : "ExecuteCode",
> "GroupDomain" : "RT::System-Role",
> "GroupType" : "AdminCc"
> },
>
> (In JSON for readability)
>
> These are in reality applied to the AdminCC group principal of queues.
>
> What is the bug here?
>
> Is it that I should be able to see such a right in the Global rights
> page, or should the right not have been granted since the upgrade step
> (3.9.1 iirc)?
> (It is a bit of a weird delegation of rights, but a few of our AdminCc
> groups have indeed the right to edit templates).
Looking briefly in the ACL dumping code, it says this:
elsif ( /^RT::Group$/ ) {
# No support for RT::Group ACLs in RT::Handle yet.
next OBJECT;
}
which implies to me that it has no idea how to handle your rights.
-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 235 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20131218/1c6f2df7/attachment.sig>
More information about the rt-users
mailing list