[rt-users] Limiting requestors to only see tickets they requested

Jeremy Doran fox-rt_users at vulpes.net
Fri Apr 11 14:01:39 EDT 2003


On Fri, 2003-04-11 at 10:02, Jesse Vincent wrote:
> Is requestor 1 an honest to god unprivileged user? Someone reported this
> issue about six months ago and it turned out that they had either
> granted extra global/queue rights or they were using a user that had
> extra rights individually.

I've just double checked the user in the configuration, and I have 'Let
this user access RT' checked, but 'Let this user be granted rights' is
unchecked. 

I doubled checked the global and queue rights too, and they are what I
stated. (Just making sure :)

> 
> 	-j
> 
> 
> On Fri, Apr 11, 2003 at 09:46:01AM -0700, Jeremy Doran wrote:
> > 
> > I wanted to follow up on this, as this is rapidly becoming a 'make or
> > break' issue to whether we keep RT here. 
> > 
> > I got one reply back privately with a suggestion, but so far, that
> > hasn't seemed to work. 
> > 
> > Right now, I'm experimenting to see if I can do this with RT3, but so
> > far, I've not been able to restrict it so that 'Requestor 1' can _only_
> > see tickets that they have submitted, and _not see_ tickets from
> > 'Requestor 2'
> > 
> > I've limited the groups down as follows thus far:
> > 
> > Global group Everyone: 
> >  CreateTicket
> >  ModifySelf
> > 
> > Queue group Requestor:
> >  ShowTicket
> >  ReplyToTicket
> > 
> > If I log in as 'Requestor 1' who submitted ticket (for example's sake)
> > 3101, I see that ticket in the listing of tickets that user requested.
> > All well and good. However, if I enter ticket 3095 (submitted by
> > 'Requestor 2' from another company) in the 'Goto Ticket' box, or edit
> > the URL so that id=3095 is passed to Display.html, then 'Requestor 1' is
> > able to see 'Requestor 2's ticket, as well as any proprietary and
> > confidential information that might be in that ticket. This is what we
> > absolutely must be able to prevent if we are to continue with RT at our
> > company. 
> > 
> > 'Requestor 1' _must not_ be able to see tickets that they did not
> > request.
> > 
> > Is this possible? If not, what would need to be done to make it so in
> > the code?
> > 
> > Thanks,
> > 
> > On Thu, 2003-03-27 at 10:40, Jeremy Doran wrote:
> > > First of all, we're looking to see if it's possible for customers (ie,
> > > people external to our environment) who send in tickets can log into RT
> > > and see their tickets from the web interface. I see that this is
> > > possible from setting the ShowTicket privilege, but the problem here is
> > > that they can just type in any ticket number, and as long as they have
> > > that permission for that queue, they can see _any_ ticket in that queue.
> > > Is there any permission that should be set that will restrict that
> > > requestor to _only_ see tickets that they have requested? 
> > 
> > -- 
> > Jeremy Doran <fox-rt_users at vulpes.net>
> > 
> > _______________________________________________
> > rt-users mailing list
> > rt-users at lists.fsck.com
> > http://lists.fsck.com/mailman/listinfo/rt-users
> > 
> > Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
-- 
Jeremy Doran <fox-rt_users at vulpes.net>




More information about the rt-users mailing list