[rt-users] RT self service view - Required priveleges.
Bjørn Skovlund Rydén
bjorn at 247ms.com
Tue Aug 23 03:02:12 EDT 2005
> -----Original Message-----
> I am currently trying to get the self service module of RT
> working for my site and noticed what looks like a security
> issue. When a user is granted the "ShowTicket" right, they
> are able to change the ticket id number in the url i.e.
> http://<hostname>/SelfService/Display.html?id=32
> to http://<hostname>/SelfService/Display.html?id=33 and view
> a ticket that has been requested by another user.
>
> Is there a better way to approach this problem than granting
> the Everyone group the ShowTicket right? I would really
> prefer to only allow a user to see those tickets that belong to them.
If you grant the ShowTicket in a queue or global context, that is the correct behaviour. You should grant the privilege to the role "Requestor".
If you don't have an email address on an account, they wont be attached as requestor to the cases they make, so make sure people have email addresses on their accounts.
Cheers, Bjorn
More information about the rt-users
mailing list