[rt-users] ACE to Suppress History display

Gene LeDuc gleduc at mail.sdsu.edu
Thu Apr 19 20:00:23 EDT 2007

Thanks for your suggestion, Ruslan, but it still gives our users way too 
much to think about.

This project lets users request a DNS entry for a server.  The user fills 
out a web form, some sanity checking happens, and then if it looks good php 
sends the formatted data to RT via e-mail.  A ticket gets created in our 
DNS queue.  The user gets an e-mail saying that we've opened the ticket and 
we get an e-mail alerting us to the new ticket.  The user's e-mail has a 
link to the ticket plus a random password if it's the first time we've seen 
him; if he already has an account in RT then he can reply with RESET to get 
his password reset and mailed back to him (because he's probably forgotten 
it).  Once we've added his server to the DNS zone files, we close the 
ticket either by replying with OK to our e-mail or by setting the status to 
resolved using the RT web interface.  Both cases generate an e-mail to the 
user telling him that the DNS entries have been made.

When our user clicks on the link in his e-mail, we do not want him seeing 
the e-mail that came from php, the custom field transactions that we use to 
trigger scrips, the OK reply e-mail from us, the RESET replies from him, or 
anything else that is likely to generate a call asking for an 
explanation.  All we want him to see is the filled in fields of the ticket 
so he knows that it exists, that it has a due date, and that the due date 
is still in the future.  Anything else is going to generate unwanted calls, 
wasted explanations, and probably suggestions as to how he could put 
together a neat little MS Access program that would do it better.  In order 
to avoid all this we want to control what he sees - and in this case it 
means hiding everything that shows up under History.

The rights I've given are these:
   Requestor (Global) - SeeCustomField, SeeQueue, ShowTicket
   Everyone (DNS Queue) - CreateTicket, SeeQueue
   Requestor (DNS Queue) - ReplyToTicket, SeeQueue, ShowTicket

(I don't know why I ended up with SeeQueue and ShowTicket for Requestor in 
both Global and Queue contexts, but it works and I got tired of messing 
with ACLs.)

With the above rights, the user can see all of the stuff we don't want him 
to see in the ticket.  He sees the original e-mail (highly formatted for 
regex parsing) which he won't understand, the transactions for the custom 
fields, the status change from new to open, and possibly our OK and his 
RESET replies with all the quoted text that we were too lazy to remove.

What I've done is comment out parts of the SelfService/Display.html code so 
that the History part is skipped.  This was the only way I could figure out 
to keep the user away from the History stuff.  The beneficial side effects 
are that his tickets display much faster and I don't see "[crit] Mason" 
errors in my logs when he clicks out of the display page before the history 
finishes displaying.

At 03:47 PM 4/19/2007, Ruslan Zakirov wrote:
>Why don't you use Comment/Correspond differences? Requestor can see
>corresponds and cannot comments, so you can put things user shouldn't
>see into comments. ShowTicketComments right control this.
>On 4/19/07, Gene LeDuc <gleduc at mail.sdsu.edu> wrote:
>>Is there and ACL Right (or combination of rights) that I can use to take
>>away the ability of a user to display ticket history?  When we send our
>>user a link so that he can check the status of his ticket, we do not want
>>him looking at the ticket history.  If we do allow him to see the history
>>we are going to get endless "What does it mean when it says...?"
>>questions.  All the user needs to know is that the ticket exists, its
>>status, some dates - the basic stuff.  The RT Book wasn't much help for me
>>and I haven't been able to make this happen through trial and error.
>>A little bit more on this:
>>When the ticket is created, a login password is generated for the user and
>>he gets an acknowledgement e-mail with a link to the ticket and his login
>>credentials.  So he already has the rights to login to RT and see his
>>ticket (the ShowTicket right is granted to Requestor in the queue).  It
>>just shows him more than we want him to see.
>Best regards, Ruslan.

More information about the rt-users mailing list