[rt-users] users able to view all tickets using "Search" function?
Scott Golby
sgolby at freshdirect.com
Mon Oct 23 15:09:50 EDT 2006
> Has anyone noticed with RT 3.6.1 that an otherwise unpriviledged
user
> (one who belongs to a group that only has CreateTicket, ReplyTicket,
and
> SeeQueue applied and no other perms anywhere) can do a search for "%"
> and view bunch of old, resolved tickets? I've also noticed that
certain
Nope I get this when I tried from a low level user account.
X RT Error
Couldn't load ticket '%'
We are using Postgres as our database.
I tested some random ticket numbers last week when I set up this test
user and they weren't able to get to other tickets.
What I've done to lock my users down is setup on each Queue
'Everyone' has CommentOnTicket, CreateTicket, ReplyToTicket, SeeQueue
Then on a Global basis I set up, Group Rites, Roles, Requestor to have
'ShowTicket'. If I didn't do this they couldn't see a list of their own
tickets on the webpage.
There are a lot of places permissions can hide with roles & user
definited groups off the end of the page so it might be buried down
there.
- Scott
More information about the rt-users
mailing list