[rt-users] Why an unpriviledge user can see any ticket ?

Tue Jun 27 10:35:36 EDT 2006

Hi,
I found the solution. The right "ShowTicket" must be granted to Requestor
Role and not to Unpriviledged group.

Regards.

 Thep SYKHEO Direction des Systèmes d'Information - IT       
 Department                                                  

 tél : +33 (0) 1 46 25 60 41 - fax : +33 (0) 1 46 25 66 60   

 thep.sykheo at degremont.com                                   

 DEGREMONT, Groupe SUEZ                                      

 Les spécialistes du traitement d'eau - Water treatment      
 specialists                                                 

 183, avenue du 18 juin 1940 - 92508 Rueil-Malmaison Cedex   
 France                                                      

 http://www.degremont.com                                    

             Todd Chapman                                                  
             <todd at chaka.net>                                              
                                                                        To 
             27/06/2006 16:17          thep.sykheo at degremont.com           
                                                                        cc 
                                       rt-users at lists.bestpractical.com    
                                                                   Subject 
                                       Re: [rt-users] Why an unpriviledge  
                                       user can see any ticket ?           

The RTx::RightsMatric extension should be able to tell you how
the unpriviledged group is getting the ShowTicket right.

On Tue, Jun 27, 2006 at 03:08:46PM +0200, thep.sykheo at degremont.com wrote:
>
>
>
>
> Hi,
>
> I am testing RT 3.4.5. When I connect as an unpriviledged user , I can
> select "Goto ticket" button and see a ticket which is not mine.
> This is not very secure. How can I prevent this ?
>
> Thanks in advance.
>
>
>
>  Thep SYKHEO Direction des Systèmes d'Information - IT
>  Department
>
>  tél : +33 (0) 1 46 25 60 41 - fax : +33 (0) 1 46 25 66 60
>
>  thep.sykheo at degremont.com
>
>
>
>  DEGREMONT, Groupe SUEZ
>
>  Les spécialistes du traitement d'eau - Water treatment
>  specialists
>
>  183, avenue du 18 juin 1940 - 92508 Rueil-Malmaison Cedex
>  France
>
>  http://www.degremont.com
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> This message and all attachments are confidential and intended solely for
> the addressees.
>
>
> Any use not in accord with its purpose, any dissemination or disclosure,
> either whole or partial, is prohibited except formal approval.
>
>
> If you receive this message in error, please delete it and immediately
> notify the sender.
>
>
> Neither Degremont Group nor any of its subsidiaries or affiliates shall
be
> liable for the message if altered, changed or falsified.
>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>
>
> We're hiring! Come hack Perl for Best Practical:
http://bestpractical.com/about/jobs.html

This message and all attachments are confidential and intended solely for
the addressees.
Any use not in accord with its purpose, any dissemination or disclosure,
either whole or partial, is prohibited except formal approval.
If you receive this message in error, please delete it and immediately
notify the sender.
Neither Degremont Group nor any of its subsidiaries or affiliates shall be
liable for the message if altered, changed or falsified.