[rt-users] Self Service Security

Uli Staerk Uli.Staerk at globalways.net
Tue Oct 24 13:28:33 EDT 2006


The unprivileged user has currently the following rights:
- ReplyToTicket
- ShowTicket
- ModifySelf

But the user is still able to view *all* tickts from *any* user by
changing the ticket-id in the request url.

How can I fix this security issue, so that the user can only see his own
tickts?



More information about the rt-users mailing list