[rt-users] Limiting requestors to only see tickets they requested

Jesse Vincent jesse at bestpractical.com
Fri Apr 11 13:02:03 EDT 2003


Is requestor 1 an honest to god unprivileged user? Someone reported this
issue about six months ago and it turned out that they had either
granted extra global/queue rights or they were using a user that had
extra rights individually.

	-j


On Fri, Apr 11, 2003 at 09:46:01AM -0700, Jeremy Doran wrote:
> 
> I wanted to follow up on this, as this is rapidly becoming a 'make or
> break' issue to whether we keep RT here. 
> 
> I got one reply back privately with a suggestion, but so far, that
> hasn't seemed to work. 
> 
> Right now, I'm experimenting to see if I can do this with RT3, but so
> far, I've not been able to restrict it so that 'Requestor 1' can _only_
> see tickets that they have submitted, and _not see_ tickets from
> 'Requestor 2'
> 
> I've limited the groups down as follows thus far:
> 
> Global group Everyone: 
>  CreateTicket
>  ModifySelf
> 
> Queue group Requestor:
>  ShowTicket
>  ReplyToTicket
> 
> If I log in as 'Requestor 1' who submitted ticket (for example's sake)
> 3101, I see that ticket in the listing of tickets that user requested.
> All well and good. However, if I enter ticket 3095 (submitted by
> 'Requestor 2' from another company) in the 'Goto Ticket' box, or edit
> the URL so that id=3095 is passed to Display.html, then 'Requestor 1' is
> able to see 'Requestor 2's ticket, as well as any proprietary and
> confidential information that might be in that ticket. This is what we
> absolutely must be able to prevent if we are to continue with RT at our
> company. 
> 
> 'Requestor 1' _must not_ be able to see tickets that they did not
> request.
> 
> Is this possible? If not, what would need to be done to make it so in
> the code?
> 
> Thanks,
> 
> On Thu, 2003-03-27 at 10:40, Jeremy Doran wrote:
> > First of all, we're looking to see if it's possible for customers (ie,
> > people external to our environment) who send in tickets can log into RT
> > and see their tickets from the web interface. I see that this is
> > possible from setting the ShowTicket privilege, but the problem here is
> > that they can just type in any ticket number, and as long as they have
> > that permission for that queue, they can see _any_ ticket in that queue.
> > Is there any permission that should be set that will restrict that
> > requestor to _only_ see tickets that they have requested? 
> 
> -- 
> Jeremy Doran <fox-rt_users at vulpes.net>
> 
> _______________________________________________
> rt-users mailing list
> rt-users at lists.fsck.com
> http://lists.fsck.com/mailman/listinfo/rt-users
> 
> Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

-- 
http://www.bestpractical.com/rt  -- Trouble Ticketing. Free.



More information about the rt-users mailing list