[rt-users] possible permissions (ModifyTicket) bug in 3.4.5?

Claude M. Schrader cschrader at dca.net
Wed Apr 26 14:16:33 EDT 2006 

Hello,
We have been removing all global permissions from the Privileged user
group on our RT install, to let some important customers have access to
their own support queue. In doing this, we seem to have stumbled on what
appears to be a bug with the ModifyTicket setting. The user is able to
search for email addresses through the "People" area of a ticket, and
return a list of every email address known to rt.

Users in the CustnameEmployees group have the following permissions for
their queue. The users are privileged, and I have spent most of the
morning ensuring the Privleged group does not have any global
rights.
CreateTicket
ReplyToTicket
SeeQueue
ShowTicket
Watch

Logging in as one of those users, I can see the queue, and open tickets,
and I can not edit any values for the ticket information, as expected.
However, when you click on the blue "People" bar at the top of a ticket,
you can search for email addresses, and have valid addresses returned. The
real danger comes when you search for people whose userid contains %. This
returns a list of every email address known to rt. *Warning* this
potentially puts a very big load on the server, and your browser. It seems
that a user without ModifyTicket should not be able to search for email
addresses, and nobody should be able to search for %. Has anyone else
noticed this behavior?

Thanks,
Claude Schrader

ps. thanks for RT, its been great for us. - we have managed to roll a number
of legacy tools into it, having one place for everything

***************************************************************************
Claude M. Schrader                      302-295-4707
Network Technician                      215-701-6500 x4707
Consult Dynamics/DCANet                 888-4DCANet (888-432-2638)
cschrader at dca.net                       http://www.dca.net
****************************************************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20060426/c3ba5413/attachment.sig>

More information about the rt-users mailing list