[rt-users] Limiting requestors to only see tickets they requested

R El -Hames r at elhames.co.uk
Fri Apr 11 13:16:12 EDT 2003 

Jeremy;

( I take it that your requesters are non-privileged users ??)
The way I managed to avoid my non-privileged users seeing tickets other than there's:
1- The are not queue members
2- Unprivileged+Everyone groups have no rights
3- Requestors have ShowTicket + ReplytoTicket right only 
4- As an extra caution I removed the GoToticket button from the SelfService view.. 

Roy

----- Original Message ----- 
From: "Jeremy Doran" <fox-rt_users at vulpes.net>
To: <rt-users at lists.fsck.com>
Sent: Friday, April 11, 2003 5:46 PM
Subject: [rt-users] Limiting requestors to only see tickets they requested


> 
> I wanted to follow up on this, as this is rapidly becoming a 'make or
> break' issue to whether we keep RT here. 
> 
> I got one reply back privately with a suggestion, but so far, that
> hasn't seemed to work. 
> 
> Right now, I'm experimenting to see if I can do this with RT3, but so
> far, I've not been able to restrict it so that 'Requestor 1' can _only_
> see tickets that they have submitted, and _not see_ tickets from
> 'Requestor 2'
> 
> I've limited the groups down as follows thus far:
> 
> Global group Everyone: 
>  CreateTicket
>  ModifySelf
> 
> Queue group Requestor:
>  ShowTicket
>  ReplyToTicket
> 
> If I log in as 'Requestor 1' who submitted ticket (for example's sake)
> 3101, I see that ticket in the listing of tickets that user requested.
> All well and good. However, if I enter ticket 3095 (submitted by
> 'Requestor 2' from another company) in the 'Goto Ticket' box, or edit
> the URL so that id=3095 is passed to Display.html, then 'Requestor 1' is
> able to see 'Requestor 2's ticket, as well as any proprietary and
> confidential information that might be in that ticket. This is what we
> absolutely must be able to prevent if we are to continue with RT at our
> company. 
> 
> 'Requestor 1' _must not_ be able to see tickets that they did not
> request.
> 
> Is this possible? If not, what would need to be done to make it so in
> the code?
> 
> Thanks,
> 
> On Thu, 2003-03-27 at 10:40, Jeremy Doran wrote:
> > First of all, we're looking to see if it's possible for customers (ie,
> > people external to our environment) who send in tickets can log into RT
> > and see their tickets from the web interface. I see that this is
> > possible from setting the ShowTicket privilege, but the problem here is
> > that they can just type in any ticket number, and as long as they have
> > that permission for that queue, they can see _any_ ticket in that queue.
> > Is there any permission that should be set that will restrict that
> > requestor to _only_ see tickets that they have requested? 
> 
> -- 
> Jeremy Doran <fox-rt_users at vulpes.net>
> 
> _______________________________________________
> rt-users mailing list
> rt-users at lists.fsck.com
> http://lists.fsck.com/mailman/listinfo/rt-users
> 
> Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
>

More information about the rt-users mailing list