Current code apply same restrictions and check for RO and RW DC, it also imply that this call is just made by RODC.
Created attachment 8056 [details]
Proposed patch to fix part 1
In order to fix this issue I separated the problem in two parts, the first one remove the link in the debug and in the comments between exop_repl_object_with_secrets and rodc as rwdc can call this RPC as well (even though in practice it's unlikely to happen).
In order to differentiate rw from ro we check the presence of the get_all_changes right.
Created attachment 8057 [details]
Proposed patch to fix part 2
In this patch we actually bypass allow/deny tests for rwdc
when you ACK-ed a patch by a team member, the next
step in our release procedure is to assign the bug
to Karolin, which is the sign fo her to pick
the patch to the release branch.
Cheers - Michael
PS: Assigning to Karolin.
Pushed to autobuild-v4-0-test.
Closing out bug report.