[rt-users] Separated queues

AJ rt at musefoundry.com
Thu Jan 8 14:04:36 EST 2004


Saw this post a few days ago but only last night identified what I think is
an issue with the permissions system but very well may be its appropriate
execution and I just opened up a huge security hole and would like to run it
by your folks before rolling it out.

Requirement:
Wanted to set up so when someone logs in, they are given a list of queues to
create in but only see the queue they are a member of.

Quick Summary of environment:
RT 3.0.7_RC1
We have two front-ends (different look and feel) but one DB.
All permissions are handled through Groups, no individual user perms.

Problem:
Group A has CreateTicket and See Queue for Queue A
Group B has CreateTicket for Queue A 

Now, the /Elements/SelectNewTicketQueue has:
@{$session{'create_in_queues'}} = ();
my $q=new RT::Queues($session{'CurrentUser'});
$q->UnLimit;
while (my $queue=$q->Next) {
        if ($queue->CurrentUserHasRight('CreateTicket')) { 

Perhaps I am missing something, but shouldn't this show all the Queues that
the person has CreateTicket in?  The behavior I am seeing is that it only
shows the queues that the person has both SeeQueue and CreateTicket. Is the
CreateTicket right dependent on the SeeQueue right?

Now by changing the line that gets the queue list:
FROM:
my $q=new RT::Queues($session{'CurrentUser'});

TO:
my $q=new RT::Queues($RT::SystemUser);

I then get the behavior I want and the user is presented with a list of
queues that they can create tickets in but not necessarily see.

So back to the original question:  I got the result I wanted but what did I
do in the process?

Thanks in advance
A.J.

-----Original Message-----
From: rt-users-bounces at lists.bestpractical.com
[mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Morgan
Nilsson
Sent: Sunday, January 04, 2004 6:21 PM
To: rt-users at lists.bestpractical.com
Subject: [rt-users] Separated queues

Hi.

I use: RT 3.0.7_01 on fedora with postgresql-7.3.4-11.

I would like to separate queues for different users.
I would not even like the users to know about each other
or other queues, etc. Has anyone used RT this way?

I did a test setup, but I could not stop users from clicking
on Configuration and then list all other users (I read the
message about hiding the tab...).

Also when searching for tickets you can choose all other owners
in the dropdown. I got "Found 1 ticket", but none was displayed when 
searching for another owner than myself.

The idea is to have our support use one system for different customer.
This way we can have an overview of all issues.
The customers should be able to login and create new tickets and
close tickets, etc, in their queue only. But it is not very good
if they know about the other tickets, customers, queues or groups.

What else must I consider to have this setup?

/Morgan
_______________________________________________
rt-users mailing list
rt-users at lists.bestpractical.com
http://lists.bestpractical.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm




More information about the rt-users mailing list