Can't revoke a right; skip cleaning up invalid delegations?

My ‘Privileged’ group has been assigned ‘DelegateRights’ and
’SuperUser’. This bonehead move went unnoticed as originally only two
people used the system for a single queue, but now lots of others want
to use the system and of course everybody can do and see anything.

Attempting to remove either of those privileges results an error ‘Right
could not be revoked’. The following is logged in the httpd/error_log:

[warning]: User not loaded. (/usr/share/perl5/RT/User_Overlay.pm:1555)

Now, I note that the above error comes from the
_CleanupInvalidDelegations function. The two privileges are special due
to this code in ACE_Overlay.pm:

# If we're revoking delegation rights (see above), we may need to
# revoke all rights delegated by the recipient.
if ($val and ($self->RightName() eq 'DelegateRights' or
              $self->RightName() eq 'SuperUser')) {
    $val = $self->PrincipalObj->_CleanupInvalidDelegations( InsideTransaction => 1 );
}

_CleanupInvalidDelegations simply bails immediately because $self->Id
isn’t set:

unless ( $self->Id ) {
$RT::Logger->warning("User not loaded.");
return (undef);
}

I’m honestly not sure how this is supposed to work; I haven’t unraveled
enough of the code to figure it all out. How could Id not be set there?

Now, I get that revoking someone’s superuser access should undo any
privileges those people happened to grant. But I really just want a way
out of the current situation, and can go through the users one by one
and remove things manually if indeed that actually happened.

So, a couple of questions:

Has anyone actually found a solution to this issue? I see it asked
several times in the list archives but I could find no solution.

What would actually blow up if I just commented out the call to
_CleanupInvalidDelegations? Will the delegations somehow make the
system explode, or is this just something that’s suppose to ensure that
nobody has superuser access who shouldn’t? I don’t think a few invalid
delegations are a problem for my use case, though I guess if I could
find them I could just clean them up manually.

Any tips, hints, or (of course) outright solutions would be great.

Oh, I’m running 3.8.8+patches currently. I could bump to 3.8.10 if
anyone thinks it would help.

  • J<

My ‘Privileged’ group has been assigned ‘DelegateRights’ and
’SuperUser’. This bonehead move went unnoticed as originally only two
people used the system for a single queue, but now lots of others want
to use the system and of course everybody can do and see anything.

Attempting to remove either of those privileges results an error ‘Right
could not be revoked’. The following is logged in the httpd/error_log:

You should give rt-validator a try before removing code.

Also, we’ve removed Delegations in RT4 which greatly simplified this
codepath.

-kevin