[rt-users] Limiting requestors to only see tickets they requested
Jeremy Doran
fox-rt_users at vulpes.net
Fri Apr 11 12:46:01 EDT 2003
I wanted to follow up on this, as this is rapidly becoming a 'make or
break' issue to whether we keep RT here.
I got one reply back privately with a suggestion, but so far, that
hasn't seemed to work.
Right now, I'm experimenting to see if I can do this with RT3, but so
far, I've not been able to restrict it so that 'Requestor 1' can _only_
see tickets that they have submitted, and _not see_ tickets from
'Requestor 2'
I've limited the groups down as follows thus far:
Global group Everyone:
CreateTicket
ModifySelf
Queue group Requestor:
ShowTicket
ReplyToTicket
If I log in as 'Requestor 1' who submitted ticket (for example's sake)
3101, I see that ticket in the listing of tickets that user requested.
All well and good. However, if I enter ticket 3095 (submitted by
'Requestor 2' from another company) in the 'Goto Ticket' box, or edit
the URL so that id=3095 is passed to Display.html, then 'Requestor 1' is
able to see 'Requestor 2's ticket, as well as any proprietary and
confidential information that might be in that ticket. This is what we
absolutely must be able to prevent if we are to continue with RT at our
company.
'Requestor 1' _must not_ be able to see tickets that they did not
request.
Is this possible? If not, what would need to be done to make it so in
the code?
Thanks,
On Thu, 2003-03-27 at 10:40, Jeremy Doran wrote:
> First of all, we're looking to see if it's possible for customers (ie,
> people external to our environment) who send in tickets can log into RT
> and see their tickets from the web interface. I see that this is
> possible from setting the ShowTicket privilege, but the problem here is
> that they can just type in any ticket number, and as long as they have
> that permission for that queue, they can see _any_ ticket in that queue.
> Is there any permission that should be set that will restrict that
> requestor to _only_ see tickets that they have requested?
--
Jeremy Doran <fox-rt_users at vulpes.net>
More information about the rt-users
mailing list