[Rt-commit] rt branch, 4.4/watcher-header-rights-check, created. rt-4.4.3-17-g3e6087598

Craig Kaiser craig at bestpractical.com
Wed Jul 18 13:33:09 EDT 2018


The branch, 4.4/watcher-header-rights-check has been created
        at  3e60875988e5a11c437f4c12d6a952db22995235 (commit)

- Log -----------------------------------------------------------------
commit 3e60875988e5a11c437f4c12d6a952db22995235
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Thu Jul 5 16:10:43 2018 -0400

    Only show watcher table header after rights check
    
    Ensure that a user without rights to view groups cannot brute
    force group names.
    
    References:
    https://forum.bestpractical.com/t/using-groups-to-add-ticket-ccs-bug-or-incorrect-permissions/33085

diff --git a/share/html/Ticket/Elements/AddWatchers b/share/html/Ticket/Elements/AddWatchers
index fc57f2aae..3159ddc8a 100644
--- a/share/html/Ticket/Elements/AddWatchers
+++ b/share/html/Ticket/Elements/AddWatchers
@@ -68,7 +68,7 @@
 % }
 % }
 
-% if ($Groups and $Groups->Count) {
+% if ($session{CurrentUser}->HasRight(Object => $RT::System, Right => 'SeeGroup') and $Groups && $Groups->Count) {
 <tr><td>
 <&|/l&>Type</&>
 </td><td>

-----------------------------------------------------------------------


More information about the rt-commit mailing list