[rt-users] Alfresco integration
Chris O'Kelly
Chris.okelly at minecorp.com.au
Fri Sep 14 01:57:54 EDT 2012
Hi All,
I've figured it out, I had been using the RT::User object class where I should have been using RT::CurrentUser. A little more thought about what I was implementing also alerted me to the fact that what I am building is a possible security hole.
I'll repeat that in case anyone has found this on google and plans to use it:
THIS CODE IS A POSSIBLE SECURITY FLAW! THINK LONG AND HARD!
Anyhoo, I'm fairly sure I understand and have addressed the security issues here, so here's how I sorted this out for myself:
In .../share/html/REST/1.0/search/ticket, changed the first few lines as such:
<%ARGS>
$restrictUser => undef
$query
$format => undef
$orderby => undef
$fields => undef
</%ARGS>
<%INIT>
use RT::Interface::REST;
my $output = "";
my $status = "200 Ok";
my $user = new RT::User;
my $current_user_obj = $session{CurrentUser};
if (lc $current_user_obj->UserObj->Name eq "restuser")
{
$user->Load($restrictUser) if ( defined $restrictUser );
}
$user = $session{CurrentUser} unless ( $user->Id );
my $current_user = RT::CurrentUser->new( $user );
my $tickets = RT::Tickets->new($current_user);
# Parse and validate any field specifications.
...(the rest of the file)
Now, just to point out and make absolutely clear, the possible security flaw here is that a user can view tickets they do not have the right to see. In this case I have circumvented this by only making use of $restrictUser when the logged in user is RestUser. As I am the only one who knows the password for restUser this functionality will only be accessible in scripts that I have created and setup to use RestUser.
I'd very much appreciate, if anyone can see any further security holes or other bugs with what I've done, if you'd let me know.
Regards
Chris O'Kelly
Web Administrator
Minecorp Australia
37 Murdoch Circuit
Acacia Ridge QLD 4110
minecorp.com.au<http://www.minecorp.com.au>
P: 07 3723 1000
M: 0450 586 190
E: Chris.okelly at minecorp.com.au<mailto:Chris.okelly at minecorp.com.au>
S: chris.okelly.mvs<http://skype.com>
[http://oi46.tinypic.com/mw8nbd.jpg]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20120914/9976810a/attachment.htm>
More information about the rt-users
mailing list