[rt-users] Separated queues

AJ rt at musefoundry.com
Sat Jan 10 17:13:20 EST 2004


Sadly, I lectured the network engineers about making statements when they
don't know the facts after hearing that they told the new IT manager that RT
was a home grown app.  The same day I turn around and do the same thing to
RT about separated queues. 

>From one coder to another, I need to formally apologize to Jesse about
making judgments regarding the SeeQueue dependency.  

For those of you who aren't coders (ill reserve further exploration for the
devel list) let me explain since I feel that after making an ass of myself I
should at least try to defend the Best Practical methodology:

In order to provide a simple way for frontend folks to list queues without
complicating the matter and possibly having a security hole opened up, the
$q->Next method assumes the current user has SeeQueue, which, in retrospect
is a valid assumption for the typical installation.  After trying to extend
the Queues modules to add a method that doesn't do this, it became apparent
that it would have been VERY complicated to code it so that cycling through
is easy for front end people to invoke and security is maintained. Otherwise
there would have to be all these additional arguments passed to the Next in
order for it to provide the output desired, and then not all the rights
would want to be passed (AdminQueue for instance since if you cant see the
queue, you should not be able to admin it), all this additional cross
referencing the user,group,rights,and queues tables would result in a good
bit of queries and internal activity.  When things get complicated, errors
are prone to happen.  I found out the hard way it was way to easy for users
who knew the queue id's and such to access info they shouldn't without this
SeeQueue dependency.

Also, my end run around the permissions system resulted in having to change
the create ticket html, display html, etc.. At least it's nice to know that
if someone makes an error with permissions (me for example) in one page, it
doesn't necessarily carry into the other pages.

So the quest is still on to find a clean way to list queues where create
ticket is the only dependency (perhaps a LimitToCreate function... don't
know yet).

Can't wait till this is deployed, I need a vacation.

A.J.

-----Original Message-----
From: asterr [mailto:asterr at pobox.com] 
Sent: Thursday, January 08, 2004 7:58 PM
To: Jesse Vincent
Cc: AJ; rt-users at lists.bestpractical.com; 'Morgan Nilsson'
Subject: Re: [rt-users] Separated queues

I looked into a similar issue in Oct.  I have granted CreateTicket to 
privileged users, in order to allow all internal employees to create a
ticket
in any queue.  Tickets can be successfully created via the e-mail gateway,
but not from the web interface.  

The problem is that the queues do not appear in the queue list drop down
box.
It looks like SeeQueue requirement comes from RT::Queue->Next(), which is
used in the process of populating the drop down box.

Is there another queue iterator that can be used in /Elements/SelectQueue?
Or should an option be added to RT::Queue->Next() to remove the SeeQueue
requirement.

I have attached my e-mail to the list in Oct.

Cheers,
Aaron Sterr

On Thu, 8 Jan 2004, Jesse Vincent wrote:

> 
> 
> 
> On Thu, Jan 08, 2004 at 02:04:36PM -0500, AJ wrote:
> > 
> > Perhaps I am missing something, but shouldn't this show all the Queues
that
> > the person has CreateTicket in?  The behavior I am seeing is that it
only
> > shows the queues that the person has both SeeQueue and CreateTicket. Is
the
> > CreateTicket right dependent on the SeeQueue right?
> 
> No. Think about the case where users submit tickets by email. You may
> not want the user to know that a queue exists but may want to let them
> create tickets there "blind."  If you want the user to know that the
> queue exists, grant them SeeQueue.
> 
> > 
> > Now by changing the line that gets the queue list:
> > FROM:
> > my $q=new RT::Queues($session{'CurrentUser'});
> > 
> > TO:
> > my $q=new RT::Queues($RT::SystemUser);
> > 
> > I then get the behavior I want and the user is presented with a list of
> > queues that they can create tickets in but not necessarily see.
> > 
> > So back to the original question:  I got the result I wanted but what
did I
> > do in the process?
> 
> An end-run around the access control system. :/
> 
> > 
> > Thanks in advance
> > A.J.
> > 
> > -----Original Message-----
> > From: rt-users-bounces at lists.bestpractical.com
> > [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Morgan
> > Nilsson
> > Sent: Sunday, January 04, 2004 6:21 PM
> > To: rt-users at lists.bestpractical.com
> > Subject: [rt-users] Separated queues
> > 
> > Hi.
> > 
> > I use: RT 3.0.7_01 on fedora with postgresql-7.3.4-11.
> > 
> > I would like to separate queues for different users.
> > I would not even like the users to know about each other
> > or other queues, etc. Has anyone used RT this way?
> > 
> > I did a test setup, but I could not stop users from clicking
> > on Configuration and then list all other users (I read the
> > message about hiding the tab...).
> > 
> > Also when searching for tickets you can choose all other owners
> > in the dropdown. I got "Found 1 ticket", but none was displayed when 
> > searching for another owner than myself.
> > 
> > The idea is to have our support use one system for different customer.
> > This way we can have an overview of all issues.
> > The customers should be able to login and create new tickets and
> > close tickets, etc, in their queue only. But it is not very good
> > if they know about the other tickets, customers, queues or groups.
> > 
> > What else must I consider to have this setup?
> > 
> > /Morgan
> > _______________________________________________
> > rt-users mailing list
> > rt-users at lists.bestpractical.com
> > http://lists.bestpractical.com/mailman/listinfo/rt-users
> > 
> > Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
> > 
> > _______________________________________________
> > rt-users mailing list
> > rt-users at lists.bestpractical.com
> > http://lists.bestpractical.com/mailman/listinfo/rt-users
> > 
> > Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
> > 
> 
> -- 
> http://www.bestpractical.com/rt  -- Trouble Ticketing. Free.
> _______________________________________________
> rt-users mailing list
> rt-users at lists.bestpractical.com
> http://lists.bestpractical.com/mailman/listinfo/rt-users
> 
> Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
> 
> 
> 




More information about the rt-users mailing list