[rt-users] problems with security on rt?
Smylers
smylers at gbdirect.co.uk
Fri Aug 16 06:18:07 EDT 2002
Yesterday Ted Serreyn wrote:
> My customer can find out about each other even though they can not see
> the queues.
>
> How, log in as user on web interface, click cofiguration, click users,
> click any privilege user.
It's relatively straightforward to hide the configuration link (and it's
been asked several times before -- search the archives, February this
year in particular I think (but I'm going from memory there)).
For what it's worth this is what we have on our homepage to provide the
config link only to users who are able to admin at least something:
% foreach my $admin_right (qw<Groups KeywordSelects Keywords Queue Users>) {
% if ($session{'CurrentUser'}->HasSystemRight("Admin$admin_right")) {
<li><A HREF="<%$RT::WebPath%>/Admin/" >configuration</a></li>
% last;
% }
% }
That however doesn't stop somebody 'RT'-savvy from appending "/Admin/"
to her/his URL manually. I expect that similar code could be deployed
at the top of all admin pages to redirect (or die horribly, or
something) for insufficiently priviledged users.
> Other issue that I am still working out, is how to get email to go to
> a particular queue, all email tickets seem to end up in the (now
> renamed) general queue.
What's the 'RT' bit of your /etc/aliases look like?
Smylers
--
GBdirect
http://www.gbdirect.co.uk/
More information about the rt-users
mailing list