[Rt-devel] Allowing privileged users access to user information

Jones, Marc T marc.jones at uconn.edu
Tue Jan 11 11:13:57 EST 2011 

Maybe some can enlighten me what usage case the default behavior in RT has, but it seems really strange to me that access to users information is so inaccessible. I figured out the way to allow privileged users access to see user information is to grant them the ShowConfig tab. That's fine showing them the Config tab doesn't get them any extra privileges to modify information. What took a bit to figure out was that privileged users can only see half of the fields associated with a user. Maybe I am missing something but it seems really strange to record a nonprivilged user's phone number if the only people that can access the phone number are the people who have the ability to administer users.

I modified _OverlayAccessible in my User_Local.pm as follows to make more fields public.

sub _OverlayAccessible {
    {

        Name                    => { public => 1,  admin => 1 },
          Password              => { read   => 0 },
          EmailAddress          => { public => 1 },
          Organization          => { public => 1,  admin => 1 },
          RealName              => { public => 1 },
          NickName              => { public => 1 },
          Lang                  => { public => 1 },
          EmailEncoding         => { public => 1 },
          WebEncoding           => { public => 1 },
          ExternalContactInfoId => { public => 1,  admin => 1 },
          ContactInfoSystem     => { public => 1,  admin => 1 },
          ExternalAuthId        => { public => 1,  admin => 1 },
          AuthSystem            => { public => 1,  admin => 1 },
          Gecos                 => { public => 1,  admin => 1 },
          PGPKey                => { public => 1,  admin => 1 },
          HomePhone             => { public => 1 },
         WorkPhone             => { public => 1 },
          MobilePhone           => { public => 1 },
          PagerPhone            => { public => 1 },
          Address1              => { public => 1 },
          Address2              => { public => 1 },
          City                  => { public => 1 },
          State                 => { public => 1 },
          Zip                   => { public => 1 },
          Country               => { public => 1 },
          Timezone              => { public => 1 },
          Comments              => { public => 1 },
    }
}

1;

The function _Value in Users_Overlay.pm also seems to have been allowing the same limited fields at one point. In _Value the variable @PublicFields is defined to be a list of fields that corresponse with the current fields marked as public in the default _OverlayAccessible function.

Marc Jones
Systems Architect
Student Affairs Information Technology
University of Connecticut
e-mail: marc.jones at uconn.edu
Technical Support: 860-486-8992
Phone Number: 860-486-4559



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-devel/attachments/20110111/b707c5f5/attachment.html>

More information about the rt-devel mailing list