A privilege user can "Autocreate a user added as a watcher" without rights

PROBLEM
A privileged user does not have the right ‘AdminUsers’. But presses the
"New ticket in" button, creates a ticket with a fake requestor address, and
the system creates a non privileged account with this address.

SCENARIO
I’m running RT 3.4.0 over Linux Suse 9.2.
The privileged account is just a member of Everyone and Privileged groups.
The ticket is created in a queue named “Helpdesk” (and also happens in
other queues).

My system has the following rights:
Queue group rights:

  • ReplyToTicket, SeeQueue, and ShowTicket to Everyone
  • CommentOnTicket, CreateTicket, ModifyTicket, ShowTicketComments to
    Privileged
  • CreateTicket to Non privileged
  • ModifyTicket to Requestor
    Queue user right:
  • none
    Global user rights:
  • SuperUser to root.
    Global group rights:
  • ModifySelf to Everyone.

DEBUGGING
The function HasRight() inside module “lib/RT/Principal_Overlay.pm” gets
the arguments “AdminUsers” and “RT::System”, and makes the following SQL
query:
SELECT ACL.id from ACL, Groups, Principals, CachedGroupMembers WHERE
(ACL.RightName = ‘SuperUser’ OR ACL.RightName = ‘AdminUsers’) AND
Principals.Disabled = 0 AND
CachedGroupMembers.Disabled = 0 AND
Principals.id = Groups.id AND
Principals.id = CachedGroupMembers.GroupId AND
CachedGroupMembers.MemberId = ‘1’ AND
( ACL.ObjectType = ‘RT::System’ OR
(ACL.ObjectType = ‘RT::System’ AND ACL.ObjectId = ‘1’)) AND
( ( ACL.PrincipalId = Principals.id AND
ACL.PrincipalType = ‘Group’ AND
(Groups.Domain = ‘SystemInternal’ OR
Groups.Domain = ‘UserDefined’ OR
Groups.Domain = ‘ACLEquivalence’ OR
Groups.Domain = ‘Personal’)) ) LIMIT 1

This query returns 1 row, with id=1. The complete row for this query is
| id | PrincipalType | PrincipalId | RightName | ObjectType | ObjectId |
DelegatedBy | DelegatedFrom | id | Name | Description | Domain
| Type | Instance | id | PrincipalType | ObjectId | Disabled | id |
GroupId | MemberId | Via | ImmediateParentId | Disabled |
| 1 | Group | 2 | SuperUser | RT::System | 1 |
0 | 0 | 2 | User 1 | ACL equiv. for user 1 | ACLEquivalence |
UserEquiv | 1 | 2 | Group | 2 | 0 | 2 |
2 | 1 | 2 | 2 | 0 |

QUESTIONS
Why does this user inherits SuperUser rights?
Is this a bug?
Has anyone had the same problem?

Regards,

Carlos Crembil
Professional Services
http://openware.biz
eMail: ccrembil@openware.biz