[rt-users] Rights issue on Configuration -> Global -> RT at a glance on RT 3.8.2
Carlos Garcia Montoro
cgarcia at ific.uv.es
Fri Jun 5 08:42:13 EDT 2009
Yes. Everyone who is allowed to "ShowConfigTab" can modify the global RT
at a glance, modifying other's homepage. I find it ugly...
Carlos
Jo Rhett wrote:
> Are you sure it's the global RT At a Glance? It seems everyone can
> modify it for themselves...
>
> On Jun 5, 2009, at 12:55 AM, Carlos Garcia Montoro wrote:
>> Hi Kenn, hi everybody,
>>
>> Thank you for your answer. I was expecting the same behaviour as you.
>> But for my unpleasant surprise, a user who only has
>> - "ShowConfigTab" global right for himself.
>> - "ShowAprovalsTab" global right for Privileged users. And
>> - "CreateTicket" and "SeeQueue" in some queues as Everyone's rights in
>> those queues.
>> can do nothing harmful with the single exception of modifying the
>> global RT at a glance.
>>
>> This behaviour has surprised me probably as much as you. Because of
>> it, I want that someone else checks this configuration in order to see
>> whether it is my fault (I am doing something wrong) or it is a RT bug
>> (this happens to everybody, but it shouldn't).
>>
>> Greetings,
>> Carlos
>>
>> PS: I found somewhere a RT installation for testing purposes, but
>> users grants, including root, where so restricted, that I couldn't
>> reproduce the configuration I wanted.
>>
>> Ken Crocker wrote:
>>> Carlos,
>>> I may be mistaken, butI think the "ShowConfigTab" merely allows
>>> the user to see that tab and the functions under it. The user still
>>> needs to have other rights (like "ShowTemplate" and "ModifyTemplate")
>>> in order to see/modify templates and I'm sure the same situation
>>> exists for other objects to be modified.
>>> Kenn
>>> LBNL
>>> On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote:
>>>> Sorry for posting this twice, but I'm trying to make it shorter.
>>>>
>>>> Please, can anyone confirm me that a user who only has the global
>>>> right "ShowConfigTab" is able to modify the global RT at a glance?
>>>>
>>>> I'm using RT 3.8.2 and I would like to know if either I'm doing
>>>> something wrong or this is the expected behaviour. If this were the
>>>> second case, should this be considered a bug?
>>>>
>>>> For a longer explanation, attached you can find my previous message.
>>>>
>>>> Thanking you in advance,
>>>> Carlos
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> Subject:
>>>> [rt-users] Rights issue on Configuration -> Global -> RT at a glance
>>>> on RT 3.8.2
>>>> From:
>>>> Carlos Garcia Montoro <cgarcia at ific.uv.es>
>>>> Date:
>>>> Fri, 29 May 2009 12:18:06 +0200
>>>> To:
>>>> rt-users at lists.bestpractical.com
>>>>
>>>> To:
>>>> rt-users at lists.bestpractical.com
>>>>
>>>>
>>>> Hello,
>>>>
>>>> I've a question/request about RT that I have been neither able to
>>>> resolve from myself, nor have I found it at the RT wiki or googling
>>>> this mailing list.
>>>>
>>>> I'm newbie using RT. I'm installing an organizational RT (ver.
>>>> 3.8.2). We have some departments that are autonomous of each other.
>>>> Thus, I want to grant some privileges for every admin group of each
>>>> department. I want to allow them to handle their own queues, groups,
>>>> etc. But I also want not to allow them to modify others space. I
>>>> have achieved this configuration, i.e. admins are only able to see
>>>> their groups, admins can see all queues but they are only allowed to
>>>> modify some properties (Cc, AdminCc,...) of their own queues but
>>>> not other queues. In order to do that I have granted them the global
>>>> right "ShowConfigTab". Otherwise they had rights but they couldn't
>>>> use them (they couldn't modify group membership of their groups,...).
>>>>
>>>> The problem I'm suffering is this: When I grant the "ShowConfigTab"
>>>> right to a user or group, I'm also granting privileges to modify the
>>>> global RT at a glance. Let me show an example: Let me create a user
>>>> foo who can be granted rights ("Let this user be granted rights" is
>>>> checked). This new user isn't a member of any group, so he has no
>>>> right rather than "Everyone" and "Privileged". At this moment,
>>>> global rights for these groups are the default (no global right for
>>>> "Everyone", and only "ShowApprovalsTab" for "Privileged"). In some
>>>> queues "Everyone" has two rights "CreateTicket" and "SeeQueue", but
>>>> as far as I know they only grant privileges for creating a new
>>>> ticket in these queues. Let this user be granted the global
>>>> "ShowConfigTab" right ( "Configuration" -> "Global" -> "User
>>>> Rights", and there foo is granted to "ShowConfigTab"). Now let foo
>>>> log in. This user can see the configuration tab, but he can't modify
>>>> anything since he is not allowed to. If he tries to modify anything
>>>> RT won't allow it and foo will read a permission denied message. But
>>>> if foo goes to "Configuration" -> "Global" -> "RT at a glance" and
>>>> there he deletes "QuickCreate", RT allows it saying "Global portlet
>>>> body saved.". Now let the privileged user bar log in. The RT at a
>>>> glance of bar has no longer the "QuickCreate" frame when it
>>>> previously had it. Hence, I don't want to grant foo the right of
>>>> modifying the global RT at a glance!
>>>>
>>>> Is it the expected behaviour? Am I missing anything or doing
>>>> something wrong?
>>>>
>>>> Thank you,
>>>> Carlos
>>>>
>>>> _______________________________________________
>>>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>>>
>>>> Community help: http://wiki.bestpractical.com
>>>> Commercial support: sales at bestpractical.com
>>>>
>>>>
>>>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>>>> Buy a copy at http://rtbook.bestpractical.com
>>>> _______________________________________________
>>>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>>>
>>>> Community help: http://wiki.bestpractical.com
>>>> Commercial support: sales at bestpractical.com
>>>>
>>>>
>>>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>>>> Buy a copy at http://rtbook.bestpractical.com
>>>>
>>
>> --_______ _______________________________________________________________
>> | __ __ | Carlos García Montoro Ingeniero Informático
>> |_\_Y_/_| Instituto de Física Corpuscular Centro Mixto CSIC - UV
>> |\_] [_/| Servicios Informáticos
>> | [_] | Edificio Institutos de Investigación cgarcia at ific.uv.es
>> |C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34 963543706
>> |_______| España / Spain Fax: +34 963543488
>> <cgarcia.vcf>_______________________________________________
>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>
>> Community help: http://wiki.bestpractical.com
>> Commercial support: sales at bestpractical.com
>>
>>
>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>> Buy a copy at http://rtbook.bestpractical.com
>
> --Jo Rhett
> Net Consonance : consonant endings by net philanthropy, open source and
> other randomness
>
>
>
>
--
_______ _______________________________________________________________
| __ __ | Carlos García Montoro Ingeniero Informático
|_\_Y_/_| Instituto de Física Corpuscular Centro Mixto CSIC - UV
|\_] [_/| Servicios Informáticos
| [_] | Edificio Institutos de Investigación cgarcia at ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34 963543706
|_______| España / Spain Fax: +34 963543488
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cgarcia.vcf
Type: text/x-vcard
Size: 441 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090605/e92cd21f/attachment.vcf>
More information about the rt-users
mailing list