[rt-users] RT self service view - Required priveleges.
Thomas Armstrong
thomas at unbc.ca
Tue Aug 23 02:33:56 EDT 2005
I am currently trying to get the self service module of RT working for
my site and noticed what looks like a security issue. When a user is
granted the "ShowTicket" right, they are able to change the ticket id
number in the url i.e. http://<hostname>/SelfService/Display.html?id=32
to http://<hostname>/SelfService/Display.html?id=33 and view a ticket
that has been requested by another user.
Is there a better way to approach this problem than granting the
Everyone group the ShowTicket right? I would really prefer to only allow
a user to see those tickets that belong to them.
Thanks,
Thomas
--
Thomas Armstrong
University Of Northern British Columbia
Senior Systems Administrator
Email: thomas at unbc.ca
More information about the rt-users
mailing list