[prev in list] [next in list] [prev in thread] [next in thread]
List: rt-devel
Subject: [Rt-devel] ACL-related bug. RT 3.4.2 & 3.6.5
From: "Stephen Turner" <sturner () MIT ! EDU>
Date: 2008-11-06 18:17:47
Message-ID: op.uj7mfxh15pzi6r () mockingbird ! mit ! edu
[Download RAW message or body]
ACL-related bug, reproduced with RT 3.4.2/SB 1.53 and RT 3.6.5/SB 1.48
The method Users->WhoHasRight will return users whose access is through a
disabled group.
For example: a queue TestIssues grants "ShowTicket" only to members of the
'testers' group. User 'jane' is a member of 'testers'.
For this queue and this user, the following API call correctly returns
true:
$QueueObj->CurrentUserHasRight('ShowTicket')
And 'jane' is part of the collection limited by:
my $Users = RT::Users->new($RT::SystemUser);
$Users->WhoHaveRight(Right => 'ShowTicket',
Object => $QueueObj,
IncludeSystemRights => 1,
IncludeSuperusers => 1);
So far so good. Now if we disable the 'testers' group this statement
returns false (correct):
$QueueObj->CurrentUserHasRight('ShowTicket')
BUT (here's the problem) - 'jane' and other members of 'testers' are still
part of $Users when we do this:
$Users->WhoHaveRight(Right => 'ShowTicket',
Object => $QueueObj,
IncludeSystemRights => 1,
IncludeSuperusers => 1);
.. and she should not be. This seems to be because the query generated by
the WhoHaveRight call does not exclude disabled groups.
Steve
--
Stephen Turner
Senior Programmer/Analyst - SAIS
MIT IS&T
_______________________________________________
List info: http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic