[Rt-devel] Security concern for RT 3.3/3.4 CF access controls.

Jesse Vincent jesse at bestpractical.com
Fri Dec 3 13:11:50 EST 2004




On Fri, Dec 03, 2004 at 01:00:13PM -0500, Stephen Turner wrote:
> A quick test in 3.3.12 suggests there's nothing to prevent the user from 
> seeing the transaction in the ticket history.

Yep. I expect to have this fixed today.

> Steve
> 
> At Thursday 12/2/2004 02:15 PM, Todd Chapman wrote:
> >If a user of RT 3.3/3.4 is not allowed to see the value
> >of certain custom fields, what keeps them from seeing
> >the value being set in the ticket history. Is a rights
> >check done for each transaction?
> >
> >And yes, I'm too busy at the moment to look at the code
> >myself. :)
> >
> >BTW, Asset Tracker v0.1alpha is coming along nicely!
> >
> >-Todd
> >_______________________________________________
> >Rt-devel mailing list
> >Rt-devel at lists.bestpractical.com
> >http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel
> 
> Stephen Turner
> Senior Programmer/Analyst - Client Support Services
> Information Services and Technology (IS&T)
> 
> sturner at mit.edu
> 
> _______________________________________________
> Rt-devel mailing list
> Rt-devel at lists.bestpractical.com
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel
> 

-- 


More information about the Rt-devel mailing list