On Sat, Sep 10, 2011 at 01:09:51AM -0500, Jason L Tibbitts III wrote: > My 'Privileged' group has been assigned 'DelegateRights' and > 'SuperUser'. This bonehead move went unnoticed as originally only two > people used the system for a single queue, but now lots of others want > to use the system and of course everybody can do and see anything. > > Attempting to remove either of those privileges results an error 'Right > could not be revoked'. The following is logged in the httpd/error_log:
You should give rt-validator a try before removing code. Also, we've removed Delegations in RT4 which greatly simplified this codepath. -kevin > [warning]: User not loaded. (/usr/share/perl5/RT/User_Overlay.pm:1555) > > Now, I note that the above error comes from the > _CleanupInvalidDelegations function. The two privileges are special due > to this code in ACE_Overlay.pm: > > # If we're revoking delegation rights (see above), we may need to > # revoke all rights delegated by the recipient. > if ($val and ($self->RightName() eq 'DelegateRights' or > $self->RightName() eq 'SuperUser')) { > $val = $self->PrincipalObj->_CleanupInvalidDelegations( > InsideTransaction => 1 ); > } > > _CleanupInvalidDelegations simply bails immediately because $self->Id > isn't set: > > unless ( $self->Id ) { > $RT::Logger->warning("User not loaded."); > return (undef); > } > > I'm honestly not sure how this is supposed to work; I haven't unraveled > enough of the code to figure it all out. How could Id not be set there? > > Now, I get that revoking someone's superuser access should undo any > privileges those people happened to grant. But I really just want a way > out of the current situation, and can go through the users one by one > and remove things manually if indeed that actually happened. > > So, a couple of questions: > > Has anyone actually found a solution to this issue? I see it asked > several times in the list archives but I could find no solution. > > What would actually blow up if I just commented out the call to > _CleanupInvalidDelegations? Will the delegations somehow make the > system explode, or is this just something that's suppose to ensure that > nobody has superuser access who shouldn't? I don't think a few invalid > delegations are a problem for my use case, though I guess if I could > find them I could just clean them up manually. > > Any tips, hints, or (of course) outright solutions would be great. > > Oh, I'm running 3.8.8+patches currently. I could bump to 3.8.10 if > anyone thinks it would help. > > - J< > -------- > RT Training Sessions (http://bestpractical.com/services/training.html) > * Chicago, IL, USA September 26 & 27, 2011 > * San Francisco, CA, USA October 18 & 19, 2011 > * Washington DC, USA October 31 & November 1, 2011 > * Melbourne VIC, Australia November 28 & 29, 2011 > * Barcelona, Spain November 28 & 29, 2011
pgpTHXl851uJs.pgp
Description: PGP signature
-------- RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 & 27, 2011 * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Melbourne VIC, Australia November 28 & 29, 2011 * Barcelona, Spain November 28 & 29, 2011