[rt-users] RT self service view - Required priveleges.

Jesse Vincent jesse at bestpractical.com
Tue Aug 23 11:58:26 EDT 2005




On Mon, Aug 22, 2005 at 11:33:56PM -0700, Thomas Armstrong wrote:
> I am currently trying to get the self service module of RT working for
> my site and noticed what looks like a security issue. When a user is
> granted the "ShowTicket" right, they are able to change the ticket id
> number in the url i.e. http://<hostname>/SelfService/Display.html?id=32
> to http://<hostname>/SelfService/Display.html?id=33 and view a ticket
> that has been requested by another user. 
> 
> Is there a better way to approach this problem than granting the
> Everyone group the ShowTicket right? I would really prefer to only allow
> a user to see those tickets that belong to them. 

Yes, grant the Requestor group the ShowTicket right.

> 
> Thanks,
> 
> Thomas
> 
> --
> Thomas Armstrong
> University Of Northern British Columbia
> Senior Systems Administrator
> Email: thomas at unbc.ca
> 
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
> 
> Be sure to check out the RT Wiki at http://wiki.bestpractical.com
> 

-- 



More information about the rt-users mailing list