--- /dev/null
+use strict;
+use warnings;
+
+our (@Final);
+
+push @Final, sub {
+ my %global = %{ RT->System->AvailableRights };
+ my $handle = RT->DatabaseHandle;
+
+ for my $role (RT::System->Roles) {
+ my $group = RT::Group->new( RT->SystemUser );
+ my ($ok, $msg) = $group->LoadRoleGroup(
+ Object => RT->System,
+ Name => $role,
+ );
+
+ unless ($group->id) {
+ RT->Logger->error("Can't load role group $role: $msg");
+ next;
+ }
+
+ my %rights = %{ RT->System->AvailableRights( $group->PrincipalObj ) };
+
+ # Global rights which aren't available on the role anymore
+ my @remove = grep { not $rights{$_} }
+ keys %global;
+ my $placeholders = join ",", map { "?" } 1 .. scalar @remove;
+
+ my $query = <<" SQL";
+ DELETE FROM ACL
+ WHERE PrincipalType = ?
+ AND PrincipalId = ?
+ AND ObjectType = 'RT::System'
+ AND RightName IN ($placeholders)
+ SQL
+
+ my $res = $handle->SimpleQuery(
+ $query,
+ $role, # Type
+ $group->PrincipalId, # Id
+ @remove, # Right names
+ );
+
+ unless ($res) {
+ RT->Logger->error("Failed to delete invalid rights on system role $role!");
+ next;
+ }
+ }
+};