On Sat, Sep 10, 2011 at 01:09:51AM -0500, Jason L Tibbitts III wrote: > My 'Privileged' group has been assigned 'DelegateRights' and > 'SuperUser'. This bonehead move went unnoticed as originally only two > people used the system for a single queue, but now lots of others want > to use the system and of course everybody can do and see anything. > > Attempting to remove either of those privileges results an error 'Right > could not be revoked'. The following is logged in the httpd/error_log:
You should give rt-validator a try before removing code.
Also, we've removed Delegations in RT4 which greatly simplified this
codepath.
-kevin
> [warning]: User not loaded. (/usr/share/perl5/RT/User_Overlay.pm:1555)
>
> Now, I note that the above error comes from the
> _CleanupInvalidDelegations function. The two privileges are special due
> to this code in ACE_Overlay.pm:
>
> # If we're revoking delegation rights (see above), we may need to
> # revoke all rights delegated by the recipient.
> if ($val and ($self->RightName() eq 'DelegateRights' or
> $self->RightName() eq 'SuperUser')) {
> $val = $self->PrincipalObj->_CleanupInvalidDelegations(
> InsideTransaction => 1 );
> }
>
> _CleanupInvalidDelegations simply bails immediately because $self->Id
> isn't set:
>
> unless ( $self->Id ) {
> $RT::Logger->warning("User not loaded.");
> return (undef);
> }
>
> I'm honestly not sure how this is supposed to work; I haven't unraveled
> enough of the code to figure it all out. How could Id not be set there?
>
> Now, I get that revoking someone's superuser access should undo any
> privileges those people happened to grant. But I really just want a way
> out of the current situation, and can go through the users one by one
> and remove things manually if indeed that actually happened.
>
> So, a couple of questions:
>
> Has anyone actually found a solution to this issue? I see it asked
> several times in the list archives but I could find no solution.
>
> What would actually blow up if I just commented out the call to
> _CleanupInvalidDelegations? Will the delegations somehow make the
> system explode, or is this just something that's suppose to ensure that
> nobody has superuser access who shouldn't? I don't think a few invalid
> delegations are a problem for my use case, though I guess if I could
> find them I could just clean them up manually.
>
> Any tips, hints, or (of course) outright solutions would be great.
>
> Oh, I'm running 3.8.8+patches currently. I could bump to 3.8.10 if
> anyone thinks it would help.
>
> - J<
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> * Chicago, IL, USA September 26 & 27, 2011
> * San Francisco, CA, USA October 18 & 19, 2011
> * Washington DC, USA October 31 & November 1, 2011
> * Melbourne VIC, Australia November 28 & 29, 2011
> * Barcelona, Spain November 28 & 29, 2011
pgpTHXl851uJs.pgp
Description: PGP signature
-------- RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 & 27, 2011 * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Melbourne VIC, Australia November 28 & 29, 2011 * Barcelona, Spain November 28 & 29, 2011
