[rt-users] RT (4.0.18) search engine is leaking informations about unallowed tickets

benoit plessis plessis.benoit at gmail.com
Fri Dec 13 10:06:20 EST 2013


Hi,

I'm experiencing something weird with the latest 4.0.xx release, when some
low privileges users search for tickets RT give away of unwanted
informations.

Example: the default dashboard search for unowned tickets display "70
tickets found" in the title part, include a two-pages navigation, but only
display 1 ticket, the only one the user is allowed to see.

This also break the dashboard view, since the first ten tickets aren't
accessible the view is empty.

I'm not sure if it's a recent change or not since up to now all of our
users had at least readonly access to all of the queues/tickets.

Is it a known problem ?

Regards,
benoit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20131213/0a7a062f/attachment.htm>


More information about the rt-users mailing list