[rt-users] How can I prevent users from reading other queue's tickets?
Drew Barnes
barnesaw at ucrwcu.rwc.uc.edu
Wed Jul 5 08:33:38 EDT 2006
I whipped something up because of similar problems on our install. It
may work for you. I removed the X Unowned tickets from
local/html/index.html and replaced it with this.
http://wiki.bestpractical.com/index.cgi?TicketsPerQueue
Tim Pritlove wrote:
> Hi Gilmar,
>
> thanks for the response
>
> On 04.07.2006, at 17:11, Gilmar Santos Jr wrote:
>
>> Hi Tim,
>>
>> 1. There is more than one permission involved. The "SeeQueue" and the
>> many "ShowTicket*". When someone doesn't have the "SeeQueue" permission
>> it's still possible to see ticket, exactly as you described.
>> Remove the ShowTicket and related from those users that don't have the
>> SeeQueue.
>
>
>> 2. If all users can see all queues that's true. Tickets in a queue you
>> can't see are not shown in your main page...
>
> I do my permission management by assigning people to groups and
> assigning group permissions to queues. So this would mean that people
> who do not belong to a queue should not have a single right on that
> particular queue, right?
>
> However, RT 3.2 does not seem to honor this as people that belong to
> other groups that do not have a single right for that queue can still
> see the ticket as long as it is not owned by a user.
>
> The funny thing is that while it is visible for me being logged in as
> a user with the right to see the queue, the ticket is marked as
> belonging to that queue.
>
> But somebody else with an account in that system without queue
> permission sees the ticket listed in the "10 newest unowned
> tickets..." section on the home page without mentioning which queue
> it is assigned to (the queue field is just empty). If the privileged
> user know "takes" the ticket, the ticket is no longer showing up in
> this list, but the unprivileged user can still see the ticket.
>
> So the "SeeQueue" privilege seems more like a "don't show which queue
> the ticket is in" than a "don't show tickets that belong to a queue".
>
> How can I prevent this from happening?
>
>
> Greetings
> Tim
>
>
>> --
>> Gilmar Santos Jr
>>
>> Tim Pritlove escreveu:
>>> Hi,
>>>
>>> I am using RT 3.2 and just found out two annoying things
>>>
>>> 1. people who have NO permissions for a queue can still read the
>>> ticket when they get the URL
>>> 2. tickets that do not have an owner get listed for every user of the
>>> system on the main page
>>>
>>> What can I do to prevent both things?
>>>
>>> Greetings
>>> Tim
>>> --Tim Pritlove, Discordian Evangelist, Chaos Computer Club
>>> <mailto:tim at ccc.de> <http://tim.geekheim.de/>
>>> <http://www.blinkenlights.de/>
>>> <jabber:tim at jabber.ccc.de> <gizmo://timpritlove> <skype://timpritlove>
>>> ------
>>> Ein Lebenskünstler gedeiht am besten im Spannungsfeld zwischen Bohème
>>> und Askese und ist als gelebtes Gesamtkunstwerk sinnstiftend für sich
>>> selbst. -- Wikipedia
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> _______________________________________________
>>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>>
>>> Community help: http://wiki.bestpractical.com
>>> Commercial support: sales at bestpractical.com
>>>
>>>
>>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>>> Buy a copy at http://rtbook.bestpractical.com
>>>
>>>
>>> We're hiring! Come hack Perl for Best Practical:
>>> http://bestpractical.com/about/jobs.html
>>
>> _______________________________________________
>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>
>> Community help: http://wiki.bestpractical.com
>> Commercial support: sales at bestpractical.com
>>
>>
>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>> Buy a copy at http://rtbook.bestpractical.com
>>
>>
>> We're hiring! Come hack Perl for Best Practical:
>> http://bestpractical.com/about/jobs.html
>>
>
> --Tim Pritlove, Discordian Evangelist, Chaos Computer Club
> <mailto:tim at ccc.de> <http://tim.geekheim.de/>
> <http://www.blinkenlights.de/>
> <jabber:tim at jabber.ccc.de> <gizmo://timpritlove> <skype://timpritlove>
> ------
> "We have Ph.D.s here who know the stuff cold, and we don't
> believe it's possible to protect digital content" -- Steve Jobs
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>
>
> We're hiring! Come hack Perl for Best Practical: http://bestpractical.com/about/jobs.html
--
Drew Barnes
Applications Analyst
Raymond Walters College
University of Cincinnati
More information about the rt-users
mailing list