Suggestion: make "Permission Denied" errors more useful

I’ve just been trying to track down a “Permission Denied” error when extracting articles from tickets for staff users that aren’t admins. I’ve sorted it (it turns out that the user needs the ModifyTicket rights on the ticket that is being extracted, so that the AddLink() function works, which means our users couldn’t generate articles from tickets they could see in some queues but not change), but it would have been so much easier if the error when trying to create the extracted article was a bit more descriptive than just “Permission Denied”. There’s a lot of places that “Permission Denied” can come from after all.

The way I tracked it down in the end was to alter all the “Permission Denied” errors in a local copy of the Perl modules that are called during article creation and appending the right that was being denied to the error string. Thus eventually I got “Permission Denied : Missing ModifyTicket” which let me home in on the problem. Now some may worry that this gives away too much information on the rights security, but if that was the case it could just be turned on/off with a config setting, or generate a server log entry. Either way it would still make debugging this sort of thing easier.

Would that be a useful feature for others? Opinions? Or am I the only person this dopey? :slight_smile:




I’m currently looking into a 403 Forbidden issue in REST 2.0. My situation might not be directly related to this post, but I’m going through the user’s ACL trying to figure out what is needed.

1 Like

I don’t know the code at all, but I think adding the debug log message in the code that does the actual permission check would be better than adding to the code that calls the check. It would be fewer places to change the code, and could be easily set up for three levels: no-log, failure-log, all-log-with-result.


It was added in the places that do the checks. Its just that there are lots of places that make those checks in the code (you’d be surprised how much ACL checking can take place for some operations in RT).