[rt-users] User rights not checked when accessing tickets directly via number?

Harald Kollera harald.kollera at fun.de
Wed Apr 24 04:52:06 EDT 2002


Hi Magnus,

me-maillists at billskill.com wrote:

> Some background:
> 
> Just installed RT and trying to configure this for use by our internal
> support/helpdesk. Realising how neat RT is I started playing with the idea
> to also let it handle the company info requests.
> 
> For certain reasons I don't want our support clients to be able to view
> these internal errors and also didn't want those internal notes generate
> any autoreplies.

We have a similar problem. Our customers are competitors and they don't
want that others see their problems and we don't want our customers see
our internal
tickets. But all tickets are about the same product, so it is impossible
to handle a lot of different queues.

The solution was to create a new kind of user between unprivileged and
privileged, so called underprivileged.

All these users share a nickname beginning with X_ and they are
unprivileged.
When logging in they get a new interface with a button show group
tickets. So they can see all their own tickets as well as the tickets
their X_ group has requested, but nothing else.

To handle this I added a new interface GroupService (copied from
SelfService) and changed the autohandler a little bit.

I've added the sources, so you can see if you get an idea how to handle
your problem

ciao,
Harald
 

-- 
Dr. Harald Kolléra
Professional Services
fun communications GmbH
Brauerstrasse 6   76135 Karlsruhe   Germany
Tel: +49 721 964480           Fax: +49 721 96448-299
email: harald.kollera at fun.de  http://www.fun.de/

I trust in http://www.keytrust.de
-------------- next part --------------
--- autohandler	Thu Apr 18 12:32:45 2002
+++ autohandler.org	Thu Apr 18 13:06:22 2002
@@ -50,16 +50,8 @@
     
     # If the user isn\'t privileged, they can only see SelfService
     if ((! $session{'CurrentUser'}->Privileged) and
-        ( $session{'CurrentUser'}->UserObj->NickName !~ /^X_/) and
 	($m->base_comp->path !~ '^/SelfService/') ) {
 	$m->comp('/SelfService/index.html');
-	$m->abort();
-    }
-    # If the user isn\'t fully privileged, she can only see GroupService
-    elsif ((! $session{'CurrentUser'}->Privileged) and 
-           ( $session{'CurrentUser'}->UserObj->NickName =~ /^X_/) and
-	   ($m->base_comp->path !~ '^/GroupService/') ) {
-	$m->comp('/GroupService/index.html');
 	$m->abort();
     }
     else {
-------------- next part --------------
A non-text attachment was scrubbed...
Name: GroupService.tar
Type: application/x-tar
Size: 51200 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20020424/7d387aa2/attachment.tar>


More information about the rt-users mailing list