[rt-users] prevent email ticket creation by new users?

Phil R Lawrence prlawrence at Lehigh.EDU
Fri Jan 31 11:52:08 EST 2003 

Phil Homewood wrote:
 > Phil R Lawrence wrote:
 >
 >> [setting $LookupSenderInExternalDatabase and
 >> $SenderMustExistInExternalDatabase to true while
 >> keeping the stock LookupExternalUserInfo function] ...
 >> certainly blocked the creation of new users...  it also
 >> disabled the ability for *anyone* [to] create tickets
 >> via email
 >
 >
 > Hmm. That shouldn't be the case; LookupExternalUserInfo as
 > it ships should return success for everything.

And  so it does.  There is a logic flow bug in RT on this point...  The 
details are below, but I believe the fix is to strip out any logic from 
rt-mailgate that concerns itself with the 
$LookupSenderInExternalDatabase and $SenderMustExistInExternalDatabase 
variables.

This would be my first patch to a system I'm only just learning, so 
please check my findings!

GIVEN:
1.  In config.pm we set
         $LookupSenderInExternalDatabase = 1;
         $SenderMustExistInExternalDatabase = 1;
     and we leave the LookupExternalUserInfo function
     stock (i.e. it always returns true)
2.  rt-mailgate is invoked with an email from a known user

OBSERVE:
1.  rt-mailgate calls RT::Interface::Email's GetCurrentUser
     function

2.  GetCurrentUser() invokes LookupExternalUserInfo() and
     ends up with:
         $UserFoundInExternalDatabase = 1
         $Address = [email address]
         $Username = [email address]

3.  GetCurrentUser() manages to find the RT user with
     either the LoadByName or the LoadByEmail method

4.  GetCurrentUser() returns the user object to
     rt-mailgate

5.  rt-mailgate notes that
         $LookupSenderInExternalDatabase = 1;
         $SenderMustExistInExternalDatabase = 1;
     and immediately throws up its hands, saying:
         "RT couldn't find requestor via its external database
         lookup"

BUT THIS IS WRONG.  GetCurrentUser() is constrained by
     $LookupSenderInExternalDatabase = 1;
     $SenderMustExistInExternalDatabase = 1;
so rt-mailgate need not worry about it.  GetCurrentUser() will bomb and 
email a notice if the user can't be authenticated due to these settings 
and the LookupExternalUserInfo function.


Phil

More information about the rt-users mailing list