[rt-users] RT self service view - Required priveleges.
Jesse Vincent
jesse at bestpractical.com
Tue Aug 23 11:58:26 EDT 2005
On Mon, Aug 22, 2005 at 11:33:56PM -0700, Thomas Armstrong wrote:
> I am currently trying to get the self service module of RT working for
> my site and noticed what looks like a security issue. When a user is
> granted the "ShowTicket" right, they are able to change the ticket id
> number in the url i.e. http://<hostname>/SelfService/Display.html?id=32
> to http://<hostname>/SelfService/Display.html?id=33 and view a ticket
> that has been requested by another user.
>
> Is there a better way to approach this problem than granting the
> Everyone group the ShowTicket right? I would really prefer to only allow
> a user to see those tickets that belong to them.
Yes, grant the Requestor group the ShowTicket right.
>
> Thanks,
>
> Thomas
>
> --
> Thomas Armstrong
> University Of Northern British Columbia
> Senior Systems Administrator
> Email: thomas at unbc.ca
>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Be sure to check out the RT Wiki at http://wiki.bestpractical.com
>
--
More information about the rt-users
mailing list