[rt-users] Solution for User Password + Viewing ticket status

Brian Shellabarger brian at westhost.com
Thu Nov 7 14:16:19 EST 2002


Greetings,

First-time contributor to the list, but I've been browsing the archives extensively, hopefully I don't go off-topic here. I have several issues to present to the list, I'll do each of them in their own email as to keep the threads tidy. I also know just enough perl to be dangerous, and not nearly enough to be an expert..  Here goes:

I wanted the ability for my ticket requestors to view the status of their tickets using the /SelfService section of RT. However, I wanted the auto-reply and login process to be automated. Obviously, RT doesn't have a way to randomly generate passwords, so I edited lib/RT/User.pm and changed "$args{'Password'} = '*NO-PASSWORD*';" to $args{'Password'} = crypt($args{'Name'}, $salt); --- This effectively makes the password the same as their email address and it's working perfectly. When I send them the auto-reply template, I include the following URL:
http://mysite.com/SelfService/Display.html?id={$Ticket->id()}&user={$Ticket->CreatorObj->Name}&pass={$Ticket->CreatorObj->Name}

It works *PERFECTLY*

OBviously my only concern here is security. Once my customers realize that their password is the same as their email address, I may have a few get curious and decide to browse other tickets. I need to prevent this.

I'm proposing the following and I'd like pointers on the best way to implement this:

** Since there's no way for the method that sets the password in the database to talk to my template and tell it what password it chose, I'd like to base the password on the email address, but run it through some sort of non-secure encryption on both sides (something cheesy like shifting all the characters up 10 is the general idea.. just something both sides can agree upon, and the result will be the same). I realize this is security by obscurity (banking on the customer not being able to figure out what algorythm you used to generate their password) but it's MUCH better than what I've got now.

So I would set the password using $password = myencrypt(email_address) -- but how do I tie this in on the template side?

All help is appreciated. :)

Brian





More information about the rt-users mailing list