[rt-users] 'Goto ticket' problem?
Chris Fewtrell
chris at uk.clara.net
Fri Jun 27 02:42:52 EDT 2003
On Thu, 2003-06-26 at 17:41, Peter Watson wrote:
> I'm running RT 3.0.2 and have set some 'unprivileged' users up on my test
> system. If I login as one of those users and get the 'Self Service' page I
> am able to view any ticket (ie not just mine, and from a different Queue)
> by entering a number for the Goto Ticket button. I've seen references to
> this problem in the mailing list archive but not the solution..
I had a similar problem, I didn't want the unprivileged users from
getting at the other tickets, only ones they were a requestor of. The
Display.html in SelfService (as does the Display.html in Tickets) has a
condition I modified. Where it reads
unless ( $Ticket->CurrentUserHasRight('ShowTicket') ) {
$m->comp( 'Error.html',
Why => loc("No permission to display that ticket") );
$m->abort();
}
to be instead
unless($Ticket->CurrentUserHasRight('ShowTicket') &&
($session{'CurrentUser'}->Privileged ||
$Ticket->IsRequestor($session{'CurrentUser'}->PrincipalId)))
{
$m->comp('Error.html', Why => loc("No permission to view ticket") );
$m->abort();
}
Now this modification prolly does more than you want, as only if the
user is privileged or they are a requestor does it let them view it
(that and they have the "Show Ticket" right which I granted Unprivileged
users for the Queue).
I've not seen the mailing list archive records of this problem and only
put this together and started using it in the last 24 hours, and it
appears to work fine.
--
Best Regards,
Chris Fewtrell <chris at uk.clara.net>
More information about the rt-users
mailing list