Bugzilla – Bug 107
incomplete ACL checks for routing queues
Last modified: 2010-12-23 03:05:40 MST
You need to
before you can comment on or make changes to this bug.
The function svr_chkque() in server/svr_jobfunc.c does not execute all ACL
checks for routing queues; in particular the group ACL is only checked for
* 1. If the queue is an Execution queue ...
/* 1f. if enabled, check the queue's group ACL */
Thus, routing queues can only be restricted on the basis of *user* ACLs as user
ACLs are checked later as "5. if enabled, check the queue's user ACL" for any
To enable group ACLs (and acl_logic_or=true) also for routing queues, the check
"1f. if enabled, check the queue's group ACL" probably should be done for any
queue type. "5.5. if failed user and group acls, fail" also only makes sense if
"1f" is executed for any queue type (because otherwise failed_group_acl cannot
be set for any non-execution queue)