[rt-users] Rights issue on Configuration -> Global -> RT at a glance on RT 3.8.2

Jo Rhett jrhett at netconsonance.com
Fri Jun 5 06:13:10 EDT 2009 

Are you sure it's the global RT At a Glance?   It seems everyone can  
modify it for themselves...

On Jun 5, 2009, at 12:55 AM, Carlos Garcia Montoro wrote:
> Hi Kenn, hi everybody,
>
> Thank you for your answer. I was expecting the same behaviour as  
> you. But for my unpleasant surprise, a user who only has
> - "ShowConfigTab" global right for himself.
> - "ShowAprovalsTab" global right for Privileged users. And
> - "CreateTicket" and "SeeQueue" in some queues as Everyone's rights  
> in those queues.
> can do nothing harmful with the single exception of modifying the  
> global RT at a glance.
>
> This behaviour has surprised me probably as much as you. Because of  
> it, I want that someone else checks this configuration in order to  
> see whether it is my fault (I am doing something wrong) or it is a  
> RT bug (this happens to everybody, but it shouldn't).
>
> Greetings,
> Carlos
>
> PS: I found somewhere a RT installation for testing purposes, but  
> users   grants, including root, where so restricted, that I couldn't  
> reproduce the configuration I wanted.
>
> Ken Crocker wrote:
>> Carlos,
>>    I may be mistaken, butI think the "ShowConfigTab" merely allows  
>> the user to see that tab and the functions under it. The user still  
>> needs to have other rights (like "ShowTemplate" and  
>> "ModifyTemplate") in order to see/modify templates and I'm sure the  
>> same situation exists for other objects to be modified.
>> Kenn
>> LBNL
>> On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote:
>>> Sorry for posting this twice, but I'm trying to make it shorter.
>>>
>>> Please, can anyone confirm me that a user who only has the global  
>>> right "ShowConfigTab" is able to modify the global RT at a glance?
>>>
>>> I'm using RT 3.8.2 and I would like to know if either I'm doing  
>>> something wrong or this is the expected behaviour. If this were  
>>> the second case, should this be considered a bug?
>>>
>>> For a longer explanation, attached you can find my previous message.
>>>
>>> Thanking you in advance,
>>> Carlos
>>>
>>> ------------------------------------------------------------------------
>>>
>>> Subject:
>>> [rt-users] Rights issue on Configuration -> Global -> RT at a  
>>> glance on RT 3.8.2
>>> From:
>>> Carlos Garcia Montoro <cgarcia at ific.uv.es>
>>> Date:
>>> Fri, 29 May 2009 12:18:06 +0200
>>> To:
>>> rt-users at lists.bestpractical.com
>>>
>>> To:
>>> rt-users at lists.bestpractical.com
>>>
>>>
>>> Hello,
>>>
>>> I've a question/request about RT that I have been neither able to  
>>> resolve from myself, nor have I found it at the RT wiki or  
>>> googling this mailing list.
>>>
>>> I'm newbie using RT. I'm installing an organizational RT (ver.  
>>> 3.8.2). We have some departments that are autonomous of each  
>>> other. Thus, I want to grant some privileges for every admin group  
>>> of each department. I want to allow them to handle their own  
>>> queues, groups, etc. But I also want not to allow them to modify  
>>> others space. I have achieved this configuration, i.e. admins are  
>>> only able to see their groups, admins can see all queues but they  
>>> are only allowed to modify some properties (Cc, AdminCc,...)  of  
>>> their own queues but not other queues. In order to do that I have  
>>> granted them the global right "ShowConfigTab". Otherwise they had  
>>> rights but they couldn't use them (they couldn't modify group  
>>> membership of their groups,...).
>>>
>>> The problem I'm suffering is this: When I grant the  
>>> "ShowConfigTab" right to a user or group, I'm also granting  
>>> privileges to modify the global RT at a glance. Let me show an  
>>> example: Let me create a user foo who can be granted rights ("Let  
>>> this user be granted rights" is checked). This new user isn't a  
>>> member of any group, so he has no right rather than "Everyone" and  
>>> "Privileged". At this moment, global rights for these groups are  
>>> the default (no global right for "Everyone", and only  
>>> "ShowApprovalsTab" for "Privileged"). In some queues "Everyone"  
>>> has two rights "CreateTicket" and "SeeQueue", but as far as I know  
>>> they only grant privileges for creating a new ticket in these  
>>> queues. Let this user be granted the global "ShowConfigTab" right  
>>> ( "Configuration" -> "Global" -> "User Rights", and there foo is  
>>> granted to "ShowConfigTab"). Now let foo log in. This user can see  
>>> the configuration tab, but he can't modify anything since he is  
>>> not allowed to. If he tries to modify anything RT won't allow it  
>>> and foo will read a permission denied message. But if foo goes to  
>>> "Configuration" -> "Global" -> "RT at a glance" and there he  
>>> deletes "QuickCreate", RT allows it saying "Global portlet body  
>>> saved.". Now let the privileged user bar log in. The RT at a  
>>> glance of bar has no longer the "QuickCreate" frame when it  
>>> previously had it. Hence, I don't want to grant foo the right of  
>>> modifying the global RT at a glance!
>>>
>>> Is it the expected behaviour? Am I missing anything or doing  
>>> something wrong?
>>>
>>> Thank you,
>>> Carlos
>>>
>>> _______________________________________________
>>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>>
>>> Community help: http://wiki.bestpractical.com
>>> Commercial support: sales at bestpractical.com
>>>
>>>
>>> Discover RT's hidden secrets with RT Essentials from O'Reilly  
>>> Media. Buy a copy at http://rtbook.bestpractical.com
>>>  _______________________________________________
>>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>>
>>> Community help: http://wiki.bestpractical.com
>>> Commercial support: sales at bestpractical.com
>>>
>>>
>>> Discover RT's hidden secrets with RT Essentials from O'Reilly  
>>> Media. Buy a copy at http://rtbook.bestpractical.com
>>>
>
> -- 
> _______  
> _______________________________________________________________
> | __ __ | Carlos García Montoro                    Ingeniero  
> Informático
> |_\_Y_/_| Instituto de Física Corpuscular         Centro Mixto CSIC  
> - UV
> |\_] [_/| Servicios Informáticos
> |  [_]  | Edificio Institutos de Investigación        cgarcia at ific.uv.es
> |C S I C| Apartado de Correos 22085 E-46071 Valencia  Tel: +34  
> 963543706
> |_______| España / Spain                              Fax: +34  
> 963543488
> <cgarcia.vcf>_______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

More information about the rt-users mailing list