[Rt-devel] LDAP Authentication module does not place users under "Everyone"

Robert Nesius nesius at gmail.com
Tue Nov 24 10:41:36 EST 2009


I think hacking the autohandler might not be the kosher way to accomplish
what you want.  Even though you are authenticating against LDAP, RT is
"caching" some of the user's attributes to form a unique identity for each
user which is used to manage rights.  One of the "rights" or flags
associated with the user in the database is whether or not they are
privileged.  I also think that there is a setting you can put in
RT_SiteConfig.pm that forces autocreated accounts to be privileged, which
would accomplish in the end what your hacked autohandler is doing, but
instead of the "privileged bit" being dynamically  granted in a silent,
ninja-assassin like way, the right would be explicit in the database, and
you could turn it off for individual users...

-Rob


On Tue, Nov 24, 2009 at 9:13 AM, <n.chrysandreas at albourne.com> wrote:

> Hi everyone,
>
> >>That is called the SelfService interface, which is where Unprivileged
> >>users are directed when logging in to RT.  You may want to read in the
> >>wiki about the types of users
> >>http://wiki.bestpractical.com/view/SelfService
> >
> >Thanks! Didn't know about the SelfService interface.
> >But this means that we are not able to grant unprivileged users any other
> rights that we would like (example : CreateOwnDashboard,
> >CreateSavedSearch,CreateTicket,EditSavedSearches,ReplyToTicket,SeeOwnDashboard,ShowSavedSearches
> etc)
> >
> >So if I got this right privileged users have the normal interface and the
> unprivileged users get the SelfService interface.However, >whatever right I
> give to 'Unprivileged' group the SelfService interface will not change.
>
> In order to get all users to see the normal RT interface I commented out
> the a few lines in /opt/rt3/share/html/autohandler
> and "replaced" them with one :
> #unless ( $session{'CurrentUser'}->Privileged ) {
>
>    # if the user is trying to access a ticket, redirect them
> #    if (    $m->request_comp->path =~ '^(/+)Ticket/Display.html'
> #         && $ARGS{'id'} )
> #    {
> #        RT::Interface::Web::Redirect( RT->Config->Get('WebURL')
> ."SelfService/Display.html?id=".$ARGS{'id'});
> #    }
> #
>    # otherwise, drop the user at the SelfService default page
> #    elsif ( $m->base_comp->path !~ RT->Config->Get('SelfServiceRegex') ) {
> #        RT::Interface::Web::Redirect( RT->Config->Get('WebURL')
> ."SelfService/" );
> #    }
>    # if user is in SelfService dir let him do anything
> #    else {
> #        $m->comp( { base_comp => $m->request_comp }, $m->fetch_next,
> %ARGS);
> #    }
> #}
> #else {
> #    $m->comp( { base_comp => $m->request_comp }, $m->fetch_next, %ARGS);
> #}
>
> $m->comp( { base_comp => $m->request_comp }, $m->fetch_next, %ARGS);
>
>
> Now any rights I grant to the Everyone and Unprivileged groups correspond
> correctly on the users interface.
> Is there anything else I need to watch out for concerning this changed I
> made or should it work fine like this (it is at the moment and I haven't
> noticed any strange functionality within RT).
>
> Thanks
> Nik
>
> _______________________________________________
> List info:
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.bestpractical.com/pipermail/rt-devel/attachments/20091124/0d6faab3/attachment.htm 


More information about the Rt-devel mailing list