Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Request Tracker>
  3. Users
All users can comment despite that right being revoked
ahall at autodist
Dec 15, 2016, 6:28 AM
Post #1 of 5 (1278 views)
Permalink
Hi all,
We've just discovered something odd. It seems that all users can comment on
tickets, even though we've removed the "comment on tickets" right
everywhere we've found it--all groups, privileged users, everyone, etc. I
could simply remove the comment action from the actions list, but I'd
rather find out why the right revoking isn't doing what I thought.

Is there a way to search the RT database to see where this right is
enabled, to check that none of us (admins) missed it somewhere? Is there a
second right that might cause this action to appear, that isn't called
"comment on tickets"? Maybe we've just overlooked something seemingly not
important but that actually causes commenting to be granted?

To clarify my "search the database" question: I know SQL and how to query
the RT database. I just don't know which tables or columns to include, or
what value to look for. Thanks.

--
Alex Hall
Automatic Distributors, IT department
ahall@autodist.com
Re: All users can comment despite that right being revoked [ In reply to ]
mzagrabe at d
Dec 15, 2016, 8:56 AM
Post #2 of 5 (1271 views)
Permalink
Hi Alex,

On Thu, Dec 15, 2016 at 8:28 AM, Alex Hall <ahall@autodist.com> wrote:
> Hi all,
> We've just discovered something odd. It seems that all users can comment on
> tickets, even though we've removed the "comment on tickets" right everywhere
> we've found it--all groups, privileged users, everyone, etc. I could simply
> remove the comment action from the actions list, but I'd rather find out why
> the right revoking isn't doing what I thought.
>
> Is there a way to search the RT database to see where this right is enabled,
> to check that none of us (admins) missed it somewhere? Is there a second
> right that might cause this action to appear, that isn't called "comment on
> tickets"? Maybe we've just overlooked something seemingly not important but
> that actually causes commenting to be granted?
>
> To clarify my "search the database" question: I know SQL and how to query
> the RT database. I just don't know which tables or columns to include, or
> what value to look for. Thanks.

Have you checked your global rights?

Admin -> Global -> Groups

PS. There might be a rights debugger in 4.6.

-m
---------
RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training
* Los Angeles - January 9-11 2017
Re: All users can comment despite that right being revoked [ In reply to ]
ahall at autodist
Dec 15, 2016, 9:08 AM
Post #3 of 5 (1271 views)
Permalink
I've just discovered that "modify tickets" includes--for some strange
reason--the comment right. Thus, if we want users to be able to modify
other aspects of tickets, they automatically get granted the right to
comment as well. This seems like an odd decision, but at least I think I've
found the problem.

Back to removing the option from the Actions menu, then. I've been
searching, but I don't know where this action gets added. I've found a few
places where some actions are added to @Actions, but never "comment".

You mentioned a rights debugger in 4.6. Is 4.6 out for testing? Rights
debugging sounds very useful!

On Thu, Dec 15, 2016 at 11:56 AM, Matt Zagrabelny <mzagrabe@d.umn.edu>
wrote:

> Hi Alex,
>
> On Thu, Dec 15, 2016 at 8:28 AM, Alex Hall <ahall@autodist.com> wrote:
> > Hi all,
> > We've just discovered something odd. It seems that all users can comment
> on
> > tickets, even though we've removed the "comment on tickets" right
> everywhere
> > we've found it--all groups, privileged users, everyone, etc. I could
> simply
> > remove the comment action from the actions list, but I'd rather find out
> why
> > the right revoking isn't doing what I thought.
> >
> > Is there a way to search the RT database to see where this right is
> enabled,
> > to check that none of us (admins) missed it somewhere? Is there a second
> > right that might cause this action to appear, that isn't called "comment
> on
> > tickets"? Maybe we've just overlooked something seemingly not important
> but
> > that actually causes commenting to be granted?
> >
> > To clarify my "search the database" question: I know SQL and how to query
> > the RT database. I just don't know which tables or columns to include, or
> > what value to look for. Thanks.
>
> Have you checked your global rights?
>
> Admin -> Global -> Groups
>
> PS. There might be a rights debugger in 4.6.
>
> -m
>



--
Alex Hall
Automatic Distributors, IT department
ahall@autodist.com
Re: All users can comment despite that right being revoked [ In reply to ]
mzagrabe at d
Dec 15, 2016, 9:14 AM
Post #4 of 5 (1271 views)
Permalink
On Thu, Dec 15, 2016 at 11:08 AM, Alex Hall <ahall@autodist.com> wrote:

> You mentioned a rights debugger in 4.6. Is 4.6 out for testing?

Not yet.

Rights
> debugging sounds very useful!

My employer is sponsoring the rights debugger. BP said it would be
cored in 4.6 or 4.8.

-m
---------
RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training
* Los Angeles - January 9-11 2017
Re: All users can comment despite that right being revoked [ In reply to ]
jvdwege at xs4all
Dec 15, 2016, 12:06 PM
Post #5 of 5 (1266 views)
Permalink
On 15-12-2016 18:08, Alex Hall wrote:
> I've just discovered that "modify tickets" includes--for some strange
> reason--the comment right. Thus, if we want users to be able to modify
> other aspects of tickets, they automatically get granted the right to
> comment as well. This seems like an odd decision, but at least I think
> I've found the problem.
>
> Back to removing the option from the Actions menu, then. I've been
> searching, but I don't know where this action gets added. I've found a
> few places where some actions are added to @Actions, but never "comment".
>
>
I remember running into this as well a while back. Search the source
code for either Modify or Comment, think Modify will get you the right
file(s).
Found it, see:
http://requesttracker.8502.n7.nabble.com/rt-devel-ModifyTicket-versus-CommentOnTicket-td57979.html

Joop

---------
RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training
* Los Angeles - January 9-11 2017

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal