[rt-users] Rights issue on Configuration -> Global -> RT at a glance on RT 3.8.2

Carlos Garcia Montoro cgarcia at ific.uv.es
Fri Jun 5 03:55:50 EDT 2009 

Hi Kenn, hi everybody,

Thank you for your answer. I was expecting the same behaviour as you. 
But for my unpleasant surprise, a user who only has
- "ShowConfigTab" global right for himself.
- "ShowAprovalsTab" global right for Privileged users. And
- "CreateTicket" and "SeeQueue" in some queues as Everyone's rights in 
those queues.
can do nothing harmful with the single exception of modifying the global 
RT at a glance.

This behaviour has surprised me probably as much as you. Because of it, 
I want that someone else checks this configuration in order to see 
whether it is my fault (I am doing something wrong) or it is a RT bug 
(this happens to everybody, but it shouldn't).

Greetings,
Carlos

PS: I found somewhere a RT installation for testing purposes, but users 
   grants, including root, where so restricted, that I couldn't 
reproduce the configuration I wanted.

Ken Crocker wrote:
> Carlos,
> 
>     I may be mistaken, butI think the "ShowConfigTab" merely allows the 
> user to see that tab and the functions under it. The user still needs to 
> have other rights (like "ShowTemplate" and "ModifyTemplate") in order to 
> see/modify templates and I'm sure the same situation exists for other 
> objects to be modified.
> 
> Kenn
> LBNL
> 
> On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote:
>> Sorry for posting this twice, but I'm trying to make it shorter.
>>
>> Please, can anyone confirm me that a user who only has the global 
>> right "ShowConfigTab" is able to modify the global RT at a glance?
>>
>> I'm using RT 3.8.2 and I would like to know if either I'm doing 
>> something wrong or this is the expected behaviour. If this were the 
>> second case, should this be considered a bug?
>>
>> For a longer explanation, attached you can find my previous message.
>>
>> Thanking you in advance,
>> Carlos
>>
>> ------------------------------------------------------------------------
>>
>> Subject:
>> [rt-users] Rights issue on Configuration -> Global -> RT at a glance 
>> on RT 3.8.2
>> From:
>> Carlos Garcia Montoro <cgarcia at ific.uv.es>
>> Date:
>> Fri, 29 May 2009 12:18:06 +0200
>> To:
>> rt-users at lists.bestpractical.com
>>
>> To:
>> rt-users at lists.bestpractical.com
>>
>>
>> Hello,
>>
>> I've a question/request about RT that I have been neither able to 
>> resolve from myself, nor have I found it at the RT wiki or googling 
>> this mailing list.
>>
>> I'm newbie using RT. I'm installing an organizational RT (ver. 3.8.2). 
>> We have some departments that are autonomous of each other. Thus, I 
>> want to grant some privileges for every admin group of each 
>> department. I want to allow them to handle their own queues, groups, 
>> etc. But I also want not to allow them to modify others space. I have 
>> achieved this configuration, i.e. admins are only able to see their 
>> groups, admins can see all queues but they are only allowed to modify 
>> some properties (Cc, AdminCc,...)  of their own queues but not other 
>> queues. In order to do that I have granted them the global right 
>> "ShowConfigTab". Otherwise they had rights but they couldn't use them 
>> (they couldn't modify group membership of their groups,...).
>>
>> The problem I'm suffering is this: When I grant the "ShowConfigTab" 
>> right to a user or group, I'm also granting privileges to modify the 
>> global RT at a glance. Let me show an example: Let me create a user 
>> foo who can be granted rights ("Let this user be granted rights" is 
>> checked). This new user isn't a member of any group, so he has no 
>> right rather than "Everyone" and "Privileged". At this moment, global 
>> rights for these groups are the default (no global right for 
>> "Everyone", and only "ShowApprovalsTab" for "Privileged"). In some 
>> queues "Everyone" has two rights "CreateTicket" and "SeeQueue", but as 
>> far as I know they only grant privileges for creating a new ticket in 
>> these queues. Let this user be granted the global "ShowConfigTab" 
>> right ( "Configuration" -> "Global" -> "User Rights", and there foo is 
>> granted to "ShowConfigTab"). Now let foo log in. This user can see the 
>> configuration tab, but he can't modify anything since he is not 
>> allowed to. If he tries to modify anything RT won't allow it and foo 
>> will read a permission denied message. But if foo goes to 
>> "Configuration" -> "Global" -> "RT at a glance" and there he deletes 
>> "QuickCreate", RT allows it saying "Global portlet body saved.". Now 
>> let the privileged user bar log in. The RT at a glance of bar has no 
>> longer the "QuickCreate" frame when it previously had it. Hence, I 
>> don't want to grant foo the right of modifying the global RT at a glance!
>>
>> Is it the expected behaviour? Am I missing anything or doing something 
>> wrong?
>>
>> Thank you,
>> Carlos
>>
>> _______________________________________________
>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>
>> Community help: http://wiki.bestpractical.com
>> Commercial support: sales at bestpractical.com
>>
>>
>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
>> Buy a copy at http://rtbook.bestpractical.com
>>   
>> _______________________________________________
>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>
>> Community help: http://wiki.bestpractical.com
>> Commercial support: sales at bestpractical.com
>>
>>
>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
>> Buy a copy at http://rtbook.bestpractical.com
>>   

-- 
  _______ _______________________________________________________________
| __ __ | Carlos García Montoro                    Ingeniero Informático
|_\_Y_/_| Instituto de Física Corpuscular         Centro Mixto CSIC - UV
|\_] [_/| Servicios Informáticos
|  [_]  | Edificio Institutos de Investigación        cgarcia at ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia  Tel: +34 963543706
|_______| España / Spain                              Fax: +34 963543488
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cgarcia.vcf
Type: text/x-vcard
Size: 441 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090605/d4d22c0f/attachment.vcf>

More information about the rt-users mailing list