[rt-users] User rights not checked when accessing tickets directly via number?

me-maillists at billskill.com me-maillists at billskill.com
Tue Apr 23 09:39:33 EDT 2002


Hi all,

 just found a problem with RT 2.0.13 on our site, that a user with no
rights on a certain queue can access the tickets in that queue if he
access them directly by number. First realised this when just clicking a
link in an autogenerated mail and saw that I had the wrong user logged in
when testing stuff.

Can anyone else confirm this behaviour or is it just me that has managed
to screw up my config?

Some background:

Just installed RT and trying to configure this for use by our internal
support/helpdesk. Realising how neat RT is I started playing with the idea
to also let it handle the company info requests.

For certain reasons I don't want our support clients to be able to view
these internal errors and also didn't want those internal notes generate
any autoreplies.

So the solution was that I have removed the global scrip
OnCreate->AutoreplyRequestor->Autoreply template and added it to the
queues where I want the autoreply to be created.

Secondly I have created two groups one for company use and one for
external support clients. The local group has global rights to view any
queue whereas the support group only have access to the groups of their
interest.

Is the assumtion that this ought to work correct or should I have two
separate installations to handle it?

Best regards

Magnus Egnerfors






More information about the rt-users mailing list