[rt-users] How can I prevent users from reading other queue's tickets?
Tim Pritlove
tim at ccc.de
Wed Jul 5 08:28:32 EDT 2006
Hi Gilmar,
thanks for the response
On 04.07.2006, at 17:11, Gilmar Santos Jr wrote:
> Hi Tim,
>
> 1. There is more than one permission involved. The "SeeQueue" and the
> many "ShowTicket*". When someone doesn't have the "SeeQueue"
> permission
> it's still possible to see ticket, exactly as you described.
> Remove the ShowTicket and related from those users that don't have the
> SeeQueue.
> 2. If all users can see all queues that's true. Tickets in a queue you
> can't see are not shown in your main page...
I do my permission management by assigning people to groups and
assigning group permissions to queues. So this would mean that people
who do not belong to a queue should not have a single right on that
particular queue, right?
However, RT 3.2 does not seem to honor this as people that belong to
other groups that do not have a single right for that queue can still
see the ticket as long as it is not owned by a user.
The funny thing is that while it is visible for me being logged in as
a user with the right to see the queue, the ticket is marked as
belonging to that queue.
But somebody else with an account in that system without queue
permission sees the ticket listed in the "10 newest unowned
tickets..." section on the home page without mentioning which queue
it is assigned to (the queue field is just empty). If the privileged
user know "takes" the ticket, the ticket is no longer showing up in
this list, but the unprivileged user can still see the ticket.
So the "SeeQueue" privilege seems more like a "don't show which queue
the ticket is in" than a "don't show tickets that belong to a queue".
How can I prevent this from happening?
Greetings
Tim
> --
> Gilmar Santos Jr
>
> Tim Pritlove escreveu:
>> Hi,
>>
>> I am using RT 3.2 and just found out two annoying things
>>
>> 1. people who have NO permissions for a queue can still read the
>> ticket when they get the URL
>> 2. tickets that do not have an owner get listed for every user of the
>> system on the main page
>>
>> What can I do to prevent both things?
>>
>> Greetings
>> Tim
>> --Tim Pritlove, Discordian Evangelist, Chaos Computer Club
>> <mailto:tim at ccc.de> <http://tim.geekheim.de/>
>> <http://www.blinkenlights.de/>
>> <jabber:tim at jabber.ccc.de> <gizmo://timpritlove> <skype://
>> timpritlove>
>> ------
>> Ein Lebenskünstler gedeiht am besten im Spannungsfeld zwischen Bohème
>> und Askese und ist als gelebtes Gesamtkunstwerk sinnstiftend für sich
>> selbst. -- Wikipedia
>>
>>
>> ---------------------------------------------------------------------
>> ---
>>
>> _______________________________________________
>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>
>> Community help: http://wiki.bestpractical.com
>> Commercial support: sales at bestpractical.com
>>
>>
>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>> Buy a copy at http://rtbook.bestpractical.com
>>
>>
>> We're hiring! Come hack Perl for Best Practical: http://
>> bestpractical.com/about/jobs.html
>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>
>
> We're hiring! Come hack Perl for Best Practical: http://
> bestpractical.com/about/jobs.html
>
--
Tim Pritlove, Discordian Evangelist, Chaos Computer Club
<mailto:tim at ccc.de> <http://tim.geekheim.de/> <http://
www.blinkenlights.de/>
<jabber:tim at jabber.ccc.de> <gizmo://timpritlove> <skype://timpritlove>
------
"We have Ph.D.s here who know the stuff cold, and we don't
believe it's possible to protect digital content" -- Steve Jobs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3570 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20060705/f5a34bc4/attachment.bin>
More information about the rt-users
mailing list