A privileged user does not have the right ‘AdminUsers’. But presses the
"New ticket in" button, creates a ticket with a fake requestor address, and
the system creates a non privileged account with this address.
I’m running RT 3.4.0 over Linux Suse 9.2.
The privileged account is just a member of Everyone and Privileged groups.
The ticket is created in a queue named “Helpdesk” (and also happens in
My system has the following rights:
Queue group rights:
- ReplyToTicket, SeeQueue, and ShowTicket to Everyone
- CommentOnTicket, CreateTicket, ModifyTicket, ShowTicketComments to
- CreateTicket to Non privileged
- ModifyTicket to Requestor
Queue user right:
Global user rights:
- SuperUser to root.
Global group rights:
- ModifySelf to Everyone.
The function HasRight() inside module “lib/RT/Principal_Overlay.pm” gets
the arguments “AdminUsers” and “RT::System”, and makes the following SQL
SELECT ACL.id from ACL, Groups, Principals, CachedGroupMembers WHERE
(ACL.RightName = ‘SuperUser’ OR ACL.RightName = ‘AdminUsers’) AND
Principals.Disabled = 0 AND
CachedGroupMembers.Disabled = 0 AND
Principals.id = Groups.id AND
Principals.id = CachedGroupMembers.GroupId AND
CachedGroupMembers.MemberId = ‘1’ AND
( ACL.ObjectType = ‘RT::System’ OR
(ACL.ObjectType = ‘RT::System’ AND ACL.ObjectId = ‘1’)) AND
( ( ACL.PrincipalId = Principals.id AND
ACL.PrincipalType = ‘Group’ AND
(Groups.Domain = ‘SystemInternal’ OR
Groups.Domain = ‘UserDefined’ OR
Groups.Domain = ‘ACLEquivalence’ OR
Groups.Domain = ‘Personal’)) ) LIMIT 1
This query returns 1 row, with id=1. The complete row for this query is
| id | PrincipalType | PrincipalId | RightName | ObjectType | ObjectId |
DelegatedBy | DelegatedFrom | id | Name | Description | Domain
| Type | Instance | id | PrincipalType | ObjectId | Disabled | id |
GroupId | MemberId | Via | ImmediateParentId | Disabled |
| 1 | Group | 2 | SuperUser | RT::System | 1 |
0 | 0 | 2 | User 1 | ACL equiv. for user 1 | ACLEquivalence |
UserEquiv | 1 | 2 | Group | 2 | 0 | 2 |
2 | 1 | 2 | 2 | 0 |
Why does this user inherits SuperUser rights?
Is this a bug?
Has anyone had the same problem?