[rt-users] Rights issue on Configuration -> Global -> RT at a glance on RT 3.8.2

Carlos Garcia Montoro cgarcia at ific.uv.es
Fri Jun 5 08:42:13 EDT 2009


Yes. Everyone who is allowed to "ShowConfigTab" can modify the global RT 
at a glance, modifying other's homepage. I find it ugly...

Carlos

Jo Rhett wrote:
> Are you sure it's the global RT At a Glance?   It seems everyone can 
> modify it for themselves...
> 
> On Jun 5, 2009, at 12:55 AM, Carlos Garcia Montoro wrote:
>> Hi Kenn, hi everybody,
>>
>> Thank you for your answer. I was expecting the same behaviour as you. 
>> But for my unpleasant surprise, a user who only has
>> - "ShowConfigTab" global right for himself.
>> - "ShowAprovalsTab" global right for Privileged users. And
>> - "CreateTicket" and "SeeQueue" in some queues as Everyone's rights in 
>> those queues.
>> can do nothing harmful with the single exception of modifying the 
>> global RT at a glance.
>>
>> This behaviour has surprised me probably as much as you. Because of 
>> it, I want that someone else checks this configuration in order to see 
>> whether it is my fault (I am doing something wrong) or it is a RT bug 
>> (this happens to everybody, but it shouldn't).
>>
>> Greetings,
>> Carlos
>>
>> PS: I found somewhere a RT installation for testing purposes, but 
>> users   grants, including root, where so restricted, that I couldn't 
>> reproduce the configuration I wanted.
>>
>> Ken Crocker wrote:
>>> Carlos,
>>>    I may be mistaken, butI think the "ShowConfigTab" merely allows 
>>> the user to see that tab and the functions under it. The user still 
>>> needs to have other rights (like "ShowTemplate" and "ModifyTemplate") 
>>> in order to see/modify templates and I'm sure the same situation 
>>> exists for other objects to be modified.
>>> Kenn
>>> LBNL
>>> On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote:
>>>> Sorry for posting this twice, but I'm trying to make it shorter.
>>>>
>>>> Please, can anyone confirm me that a user who only has the global 
>>>> right "ShowConfigTab" is able to modify the global RT at a glance?
>>>>
>>>> I'm using RT 3.8.2 and I would like to know if either I'm doing 
>>>> something wrong or this is the expected behaviour. If this were the 
>>>> second case, should this be considered a bug?
>>>>
>>>> For a longer explanation, attached you can find my previous message.
>>>>
>>>> Thanking you in advance,
>>>> Carlos
>>>>
>>>> ------------------------------------------------------------------------ 
>>>>
>>>>
>>>> Subject:
>>>> [rt-users] Rights issue on Configuration -> Global -> RT at a glance 
>>>> on RT 3.8.2
>>>> From:
>>>> Carlos Garcia Montoro <cgarcia at ific.uv.es>
>>>> Date:
>>>> Fri, 29 May 2009 12:18:06 +0200
>>>> To:
>>>> rt-users at lists.bestpractical.com
>>>>
>>>> To:
>>>> rt-users at lists.bestpractical.com
>>>>
>>>>
>>>> Hello,
>>>>
>>>> I've a question/request about RT that I have been neither able to 
>>>> resolve from myself, nor have I found it at the RT wiki or googling 
>>>> this mailing list.
>>>>
>>>> I'm newbie using RT. I'm installing an organizational RT (ver. 
>>>> 3.8.2). We have some departments that are autonomous of each other. 
>>>> Thus, I want to grant some privileges for every admin group of each 
>>>> department. I want to allow them to handle their own queues, groups, 
>>>> etc. But I also want not to allow them to modify others space. I 
>>>> have achieved this configuration, i.e. admins are only able to see 
>>>> their groups, admins can see all queues but they are only allowed to 
>>>> modify some properties (Cc, AdminCc,...)  of their own queues but 
>>>> not other queues. In order to do that I have granted them the global 
>>>> right "ShowConfigTab". Otherwise they had rights but they couldn't 
>>>> use them (they couldn't modify group membership of their groups,...).
>>>>
>>>> The problem I'm suffering is this: When I grant the "ShowConfigTab" 
>>>> right to a user or group, I'm also granting privileges to modify the 
>>>> global RT at a glance. Let me show an example: Let me create a user 
>>>> foo who can be granted rights ("Let this user be granted rights" is 
>>>> checked). This new user isn't a member of any group, so he has no 
>>>> right rather than "Everyone" and "Privileged". At this moment, 
>>>> global rights for these groups are the default (no global right for 
>>>> "Everyone", and only "ShowApprovalsTab" for "Privileged"). In some 
>>>> queues "Everyone" has two rights "CreateTicket" and "SeeQueue", but 
>>>> as far as I know they only grant privileges for creating a new 
>>>> ticket in these queues. Let this user be granted the global 
>>>> "ShowConfigTab" right ( "Configuration" -> "Global" -> "User 
>>>> Rights", and there foo is granted to "ShowConfigTab"). Now let foo 
>>>> log in. This user can see the configuration tab, but he can't modify 
>>>> anything since he is not allowed to. If he tries to modify anything 
>>>> RT won't allow it and foo will read a permission denied message. But 
>>>> if foo goes to "Configuration" -> "Global" -> "RT at a glance" and 
>>>> there he deletes "QuickCreate", RT allows it saying "Global portlet 
>>>> body saved.". Now let the privileged user bar log in. The RT at a 
>>>> glance of bar has no longer the "QuickCreate" frame when it 
>>>> previously had it. Hence, I don't want to grant foo the right of 
>>>> modifying the global RT at a glance!
>>>>
>>>> Is it the expected behaviour? Am I missing anything or doing 
>>>> something wrong?
>>>>
>>>> Thank you,
>>>> Carlos
>>>>
>>>> _______________________________________________
>>>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>>>
>>>> Community help: http://wiki.bestpractical.com
>>>> Commercial support: sales at bestpractical.com
>>>>
>>>>
>>>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
>>>> Buy a copy at http://rtbook.bestpractical.com
>>>>  _______________________________________________
>>>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>>>
>>>> Community help: http://wiki.bestpractical.com
>>>> Commercial support: sales at bestpractical.com
>>>>
>>>>
>>>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
>>>> Buy a copy at http://rtbook.bestpractical.com
>>>>
>>
>> --_______ _______________________________________________________________
>> | __ __ | Carlos García Montoro                    Ingeniero Informático
>> |_\_Y_/_| Instituto de Física Corpuscular         Centro Mixto CSIC - UV
>> |\_] [_/| Servicios Informáticos
>> |  [_]  | Edificio Institutos de Investigación        cgarcia at ific.uv.es
>> |C S I C| Apartado de Correos 22085 E-46071 Valencia  Tel: +34 963543706
>> |_______| España / Spain                              Fax: +34 963543488
>> <cgarcia.vcf>_______________________________________________
>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>
>> Community help: http://wiki.bestpractical.com
>> Commercial support: sales at bestpractical.com
>>
>>
>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>> Buy a copy at http://rtbook.bestpractical.com
> 
> --Jo Rhett
> Net Consonance : consonant endings by net philanthropy, open source and 
> other randomness
> 
> 
> 
> 

-- 
  _______ _______________________________________________________________
| __ __ | Carlos García Montoro                    Ingeniero Informático
|_\_Y_/_| Instituto de Física Corpuscular         Centro Mixto CSIC - UV
|\_] [_/| Servicios Informáticos
|  [_]  | Edificio Institutos de Investigación        cgarcia at ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia  Tel: +34 963543706
|_______| España / Spain                              Fax: +34 963543488
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cgarcia.vcf
Type: text/x-vcard
Size: 441 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090605/e92cd21f/attachment.vcf>


More information about the rt-users mailing list