<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Violetta,<br>
<br>
I just thought of an idea, but it would require a bit of work. Why
not try create some views that have only the info you want these user
to see and then remove them from RT. They can still get to the RT info
thru the views, which SHOULD suffice, since they are gonna be creating
searchs and reports. I'm not sure how your infrastructure is where you
work, but we have many users that do NOT access RT, but create their
own SQL reports all the time thru the views. We're on Orcale, but I'm
sure the same concept is doable with other DB's. I even have some SQL
that I use to create the views. I'd be MORE than happy to send it to
you and you can modify the info as per your needs. They even have
comments, which you can't get to in RT Query. Just a thought.<br>
<br>
Kenn<br>
LBNL<br>
<br>
On 6/19/2009 1:22 AM, Violetta J. Wawryk wrote:
<blockquote cite="mid:4A3B4AD5.4060804@science-computing.de" type="cite">
<pre wrap="">Hello,
yes I have to make him priviledged because he is a kind of controll
instance who has to see what orders (a ticket is a order) have been made.
Thanks to all who answered. I cannot believe that noone ever thought of
this as a security bug.
@Kevin: no I did not grant ShowConfigTab to anyone, to be honest I
didn't even know that this one existed.
>Email addresses themselves are considered valuable data by some
>people. In this particular case, it might also reveal customer
>contacts (which could be abused for various purposes, not just sending
>spam).
@Florian: yes, you are absolutly right.
Since a collegue found another security issue, can anyone tell me an
emailadress where to send security issues that should definitly not be
public?
Thanks in advance
Violetta
Raed El-Hames schrieb:
</pre>
<blockquote type="cite">
<pre wrap="">Violetta;
You also made these people privileged (Let this user be granted rights
is ticked), the question is do you want them to be privileged, if these
are your customers then you should untick this and force them into the
restricted SelfService, if you have to have them privileged then by
default they will see the peoples tab, and to restrict that you will
need to add extra code in few places.
Regards;
Roy
Violetta J. Wawryk wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
RT is 3.6.1 on a debian system
we just found out that in the people section everyone who can login
can search for people. So a person who has the following rights:
CreateTicket
ReplyToTicket
SeeQueue
ShowTicket
can go to the people section and do a search like:
userid doesn't contain xyz
he gets all the users of the RT. Since this is a security issue, is
there anything that I can do to prevent these searches?
It might be disabled in a newer version, if so which would that be?
A quick search on the list didn't give me an answer, therefore I have
to ask this. Sorry if it's been on the list before.
Quick help is really appreciated, thanks in advance!!!!
Regards
Violetta
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
</body>
</html>