All users can comment despite that right being revoked

Hi all,
We’ve just discovered something odd. It seems that all users can comment on
tickets, even though we’ve removed the “comment on tickets” right
everywhere we’ve found it–all groups, privileged users, everyone, etc. I
could simply remove the comment action from the actions list, but I’d
rather find out why the right revoking isn’t doing what I thought.

Is there a way to search the RT database to see where this right is
enabled, to check that none of us (admins) missed it somewhere? Is there a
second right that might cause this action to appear, that isn’t called
“comment on tickets”? Maybe we’ve just overlooked something seemingly not
important but that actually causes commenting to be granted?

To clarify my “search the database” question: I know SQL and how to query
the RT database. I just don’t know which tables or columns to include, or
what value to look for. Thanks.

Alex Hall
Automatic Distributors, IT department
ahall@autodist.com

Hi Alex,On Thu, Dec 15, 2016 at 8:28 AM, Alex Hall ahall@autodist.com wrote:

Hi all,
We’ve just discovered something odd. It seems that all users can comment on
tickets, even though we’ve removed the “comment on tickets” right everywhere
we’ve found it–all groups, privileged users, everyone, etc. I could simply
remove the comment action from the actions list, but I’d rather find out why
the right revoking isn’t doing what I thought.

Is there a way to search the RT database to see where this right is enabled,
to check that none of us (admins) missed it somewhere? Is there a second
right that might cause this action to appear, that isn’t called “comment on
tickets”? Maybe we’ve just overlooked something seemingly not important but
that actually causes commenting to be granted?

To clarify my “search the database” question: I know SQL and how to query
the RT database. I just don’t know which tables or columns to include, or
what value to look for. Thanks.

Have you checked your global rights?

Admin → Global → Groups

PS. There might be a rights debugger in 4.6.

-m

I’ve just discovered that “modify tickets” includes–for some strange
reason–the comment right. Thus, if we want users to be able to modify
other aspects of tickets, they automatically get granted the right to
comment as well. This seems like an odd decision, but at least I think I’ve
found the problem.

Back to removing the option from the Actions menu, then. I’ve been
searching, but I don’t know where this action gets added. I’ve found a few
places where some actions are added to @Actions, but never “comment”.

You mentioned a rights debugger in 4.6. Is 4.6 out for testing? Rights
debugging sounds very useful!On Thu, Dec 15, 2016 at 11:56 AM, Matt Zagrabelny mzagrabe@d.umn.edu wrote:

Hi Alex,

On Thu, Dec 15, 2016 at 8:28 AM, Alex Hall ahall@autodist.com wrote:

Hi all,
We’ve just discovered something odd. It seems that all users can comment
on
tickets, even though we’ve removed the “comment on tickets” right
everywhere
we’ve found it–all groups, privileged users, everyone, etc. I could
simply
remove the comment action from the actions list, but I’d rather find out
why
the right revoking isn’t doing what I thought.

Is there a way to search the RT database to see where this right is
enabled,
to check that none of us (admins) missed it somewhere? Is there a second
right that might cause this action to appear, that isn’t called “comment
on
tickets”? Maybe we’ve just overlooked something seemingly not important
but
that actually causes commenting to be granted?

To clarify my “search the database” question: I know SQL and how to query
the RT database. I just don’t know which tables or columns to include, or
what value to look for. Thanks.

Have you checked your global rights?

Admin → Global → Groups

PS. There might be a rights debugger in 4.6.

-m

Alex Hall
Automatic Distributors, IT department
ahall@autodist.com

You mentioned a rights debugger in 4.6. Is 4.6 out for testing?

Not yet.

Rights

debugging sounds very useful!

My employer is sponsoring the rights debugger. BP said it would be
cored in 4.6 or 4.8.

-m

I’ve just discovered that “modify tickets” includes–for some strange
reason–the comment right. Thus, if we want users to be able to modify
other aspects of tickets, they automatically get granted the right to
comment as well. This seems like an odd decision, but at least I think
I’ve found the problem.

Back to removing the option from the Actions menu, then. I’ve been
searching, but I don’t know where this action gets added. I’ve found a
few places where some actions are added to @Actions, but never “comment”.

I remember running into this as well a while back. Search the source
code for either Modify or Comment, think Modify will get you the right
file(s).
Found it, see:
http://requesttracker.8502.n7.nabble.com/rt-devel-ModifyTicket-versus-CommentOnTicket-td57979.html

Joop