[Rt-devel] Security concern for RT 3.3/3.4 CF access controls.

Stephen Turner sturner at MIT.EDU
Fri Dec 3 13:00:13 EST 2004

A quick test in 3.3.12 suggests there's nothing to prevent the user from 
seeing the transaction in the ticket history.


At Thursday 12/2/2004 02:15 PM, Todd Chapman wrote:
>If a user of RT 3.3/3.4 is not allowed to see the value
>of certain custom fields, what keeps them from seeing
>the value being set in the ticket history. Is a rights
>check done for each transaction?
>And yes, I'm too busy at the moment to look at the code
>myself. :)
>BTW, Asset Tracker v0.1alpha is coming along nicely!
>Rt-devel mailing list
>Rt-devel at lists.bestpractical.com

Stephen Turner
Senior Programmer/Analyst - Client Support Services
Information Services and Technology (IS&T)

sturner at mit.edu

More information about the Rt-devel mailing list