[Rt-devel] Address handling, and ticket creation from the web

Tue Oct 24 16:56:55 EDT 2006

While working on my own customizations of RT 3.6.1, I've noticed
a bad interaction between the handling of e-mail addresses and
ticket creation.

The problem arises if a user's e-mail address has one of the
fancier forms, like "Last, First <username at company.com>", and
the user creates a ticket through the web interface.

The web interface puts the address in the Requestor field, and
the value from this field is passed to
RT::User_Overlay::LoadOrCreateByEmail to get the User object.

This works fine for simple addresses that look like
"user at organization".

But with a more complicated address like
"Last, First <username at company.com>", the real address part gets
extracted, yielding "username at company.com", and this part of
the address is what's passed to the LoadByEmail method. The look-up
fails, because the database contains the full address, not just this
part. Then, because the look-up failed, a new user record is created,
with "Last, First" as the user name, and "username at company.com"
as the e-mail address.

This is bad in several ways:
1) An unnecessary user account gets created.
2) The user that account is for doesn't know it exists.
3) The new ticket is linked to the new account, not the one
    the user knows how to access.
4) So the user doesn't see the new ticket under "Open Tickets",
    and either tries again, or concludes that the system doesn't work.

One work-around I see is to put a CanonicalizeUserInfo method
in User_Local.pm that makes sure that only the real address goes
into the database. If we strip the extra info at the entry stage as
well as the look-up stage, the look-up will succeed.

But it seems to me that the real problem is that the web interface is
trying to make use of the API that's designed for the mail gateway. I
don't see any reason why the web interface should be relying on
looking up the user's email address: it already knows the user ID,
and it should be able to pass that ID to the CreateTicket routine.

In fact, a minor side-effect of this design is that it's easy to forge
the Creator of a ticket: since the Requestor field can be edited by
users, they can change it to anything they want, including another
user's address. I just tried this, and it worked fine. This isn't
terribly important (and a user who really wants to can always forge
an e-mail message as well), but still, I'd happy with a system that
always linked a new ticket with the user who actually created it ...

So, am I missing something here?
Has anyone got a solution in hand?
Or should I add this to my list of things to customize?

Thanks,

-- 
Harry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.bestpractical.com/pipermail/rt-devel/attachments/20061024/ec3cd90d/attachment.htm