When users or groups have 'Manage Documents' rights on a printer, they cannot do things that should be possible with these access rights (like canceling other users' print jobs). This seems to be possible only for users or groups with the SePrintOperatorPrivilege privilege.
Problem seems to be in print_access_check() in printing/nt_printing.c. When checking for JOB_ACCESS_ADMINISTER privileges, the code changes this and checks for PRINTER_ACCESS_ADMINISTER privs instead.
Created attachment 2988 [details]
Patch to fix JOB_ACCESS_ADMINISTER privileges
This patch disables the modification of JOB_ACCESS_ADMINISTER into PRINTER_ACCESS_ADMINISTER privileges. This seems to fix the described problem. However, I'm not sure if it introduces security issues.
Created attachment 3275 [details]
Sure, I took a close look but I don't think that patch is correct.
Thanks for pointing it out though, as it pointed out where the
real bug was.
I understand much more about the printer system now, and I think
the patch attached may be a better fix.
I've tested the patch (applied to 3.0.28a) and it fixes the problem as far as I can see. Thanks!
One thing: when compiling, I noticed the following warning. I reckon it is caused by the const definition of the job_generic_mapping struct.
printing/nt_printing.c: In function `map_job_permissions':
printing/nt_printing.c:5442: warning: passing arg 2 of `se_map_generic' discards qualifiers from pointer target type
Fixed in 3.0.28a or above. Thanks for testing !