ACL-related bug, reproduced with RT 3.4.2/SB 1.53 and RT 3.6.5/SB 1.48
The method Users->WhoHasRight will return users whose access is through a
disabled group.
For example: a queue TestIssues grants “ShowTicket” only to members of the
’testers’ group. User ‘jane’ is a member of ‘testers’.
For this queue and this user, the following API call correctly returns
true:
$QueueObj->CurrentUserHasRight('ShowTicket')
And ‘jane’ is part of the collection limited by:
my $Users = RT::Users->new($RT::SystemUser);
$Users->WhoHaveRight(Right => 'ShowTicket',
Object => $QueueObj,
IncludeSystemRights => 1,
IncludeSuperusers => 1);
So far so good. Now if we disable the ‘testers’ group this statement
returns false (correct):
$QueueObj->CurrentUserHasRight('ShowTicket')
BUT (here’s the problem) - ‘jane’ and other members of ‘testers’ are still
part of $Users when we do this:
$Users->WhoHaveRight(Right => 'ShowTicket',
Object => $QueueObj,
IncludeSystemRights => 1,
IncludeSuperusers => 1);
… and she should not be. This seems to be because the query generated by
the WhoHaveRight call does not exclude disabled groups.
Steve
Stephen Turner
Senior Programmer/Analyst - SAIS
MIT IS&T