[Rt-devel] SelfService doesn't let unprivileged users see full headers

Duncan McEwan duncan at mcs.vuw.ac.nz
Tue Nov 30 22:16:44 EST 2004


I'm not sure whether this is just an oddity with the way our RT (3.2.2) is
set up or whether other people are seeing this as well.

If an unprivileged user goes to the self service interface they can select
one of their tickets and view the transaction log OK.

But if they click on "Full Headers" or on the "Show" link of an outgoing email
transaction they get taken straight back to the page listing each of their 
tickets.

If they are not supposed to be able to do this, I would have thought they
should get some kind of "permission denied" error rather than this slightly
odd behaviour.

Some things about our setup that might be affecting this:

- We are using external web server based authentication ($WebExternalAuth
  set to 1 in the config)

- In the global group rights, "Everyone" has CreateTicket, ReplyToTicket and
  SeeQueue.  The "Requestor" role has CommentOnTicket, ShowOutgoingEmail
  and ShowTicket.  There are no queue specific group rights for Everyone or
  Requestor.

This isn't of great concern to me since it obviously isn't a particularly
serious problem.  But one of our more "inquisitive" users did point it out
to us approx 30 minutes after our new RT 3 system went live (!) and I'd like
to be able to give him an explanation.

If others can confirm whether or not they see the same thing happening I will
also send a bug to rt-bugs.

Duncan




More information about the Rt-devel mailing list