[rt-users] Rights issue on Configuration -> Global -> RT at a glance on RT 3.8.2

Carlos Garcia Montoro cgarcia at ific.uv.es
Thu Jun 11 05:23:08 EDT 2009


PS: It seems to me that Shawn Moore also worked on fixing it.

Carlos

Carlos Garcia Montoro wrote:
> Jo and Kenn,
> 
> Thank you for your comments about this issue. In the end it was a bug of 
> RT. Fortunately, I created a ticket on http://rt3.fsck.com/ and the 
> people from Best Practical (I think that they were Kevin Falcone and 
> Jesse Vincent) put their hands on it immediately and they have just 
> solved this /*security bug*/.
> 
> This is part of the message posted by Kevin Falcone:
>  >The most important fix is that RT now requires the SuperUser
>  >right to edit global RT at a Glance.  In all previous 3.8
>  >releases, the "ShowConfigTab" right unintentionally enabled this.
>  >If you have not granted this right to any non-administrative user,
>  >then this issue should not affect you.
> 
> You can read the whole in the message "RT 3.8.4 Released" written by 
> Kevin. So, you probably should consider either to patch your current 
> installation or to upgrade it.
> 
> Kenn, Jo, thank you again for your help and comments, and thanks to the 
> people of bestpractical.
> 
> Best wishes,
> Carlos
> 
> Ken Crocker wrote:
>> Carlos,
>>
>>     I'm with Jo on this one. We are on 3.6.4 and I have over 100 users 
>> and the majority of them do /*NOT*/ have the "ShowConfigTab" right yet 
>> they /*ALL*/ can modify their "RT at a Glance" settings.
>>
>>
>> Kenn
>> LBNL
>>
>> On 6/5/2009 3:13 AM, Jo Rhett wrote:
>>> Are you sure it's the global RT At a Glance?   It seems everyone can 
>>> modify it for themselves...
>>>
>>> On Jun 5, 2009, at 12:55 AM, Carlos Garcia Montoro wrote:
>>>> Hi Kenn, hi everybody,
>>>>
>>>> Thank you for your answer. I was expecting the same behaviour as 
>>>> you. But for my unpleasant surprise, a user who only has
>>>> - "ShowConfigTab" global right for himself.
>>>> - "ShowAprovalsTab" global right for Privileged users. And
>>>> - "CreateTicket" and "SeeQueue" in some queues as Everyone's rights 
>>>> in those queues.
>>>> can do nothing harmful with the single exception of modifying the 
>>>> global RT at a glance.
>>>>
>>>> This behaviour has surprised me probably as much as you. Because of 
>>>> it, I want that someone else checks this configuration in order to 
>>>> see whether it is my fault (I am doing something wrong) or it is a 
>>>> RT bug (this happens to everybody, but it shouldn't).
>>>>
>>>> Greetings,
>>>> Carlos
>>>>
>>>> PS: I found somewhere a RT installation for testing purposes, but 
>>>> users   grants, including root, where so restricted, that I couldn't 
>>>> reproduce the configuration I wanted.
>>>>
>>>> Ken Crocker wrote:
>>>>> Carlos,
>>>>>    I may be mistaken, butI think the "ShowConfigTab" merely allows 
>>>>> the user to see that tab and the functions under it. The user still 
>>>>> needs to have other rights (like "ShowTemplate" and 
>>>>> "ModifyTemplate") in order to see/modify templates and I'm sure the 
>>>>> same situation exists for other objects to be modified.
>>>>> Kenn
>>>>> LBNL
>>>>> On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote:
>>>>>> Sorry for posting this twice, but I'm trying to make it shorter.
>>>>>>
>>>>>> Please, can anyone confirm me that a user who only has the global 
>>>>>> right "ShowConfigTab" is able to modify the global RT at a glance?
>>>>>>
>>>>>> I'm using RT 3.8.2 and I would like to know if either I'm doing 
>>>>>> something wrong or this is the expected behaviour. If this were 
>>>>>> the second case, should this be considered a bug?
>>>>>>
>>>>>> For a longer explanation, attached you can find my previous message.
>>>>>>
>>>>>> Thanking you in advance,
>>>>>> Carlos
>>>>>>
>>>>>> ------------------------------------------------------------------------ 
>>>>>>
>>>>>>
>>>>>> Subject:
>>>>>> [rt-users] Rights issue on Configuration -> Global -> RT at a 
>>>>>> glance on RT 3.8.2
>>>>>> From:
>>>>>> Carlos Garcia Montoro <cgarcia at ific.uv.es>
>>>>>> Date:
>>>>>> Fri, 29 May 2009 12:18:06 +0200
>>>>>> To:
>>>>>> rt-users at lists.bestpractical.com
>>>>>>
>>>>>> To:
>>>>>> rt-users at lists.bestpractical.com
>>>>>>
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I've a question/request about RT that I have been neither able to 
>>>>>> resolve from myself, nor have I found it at the RT wiki or 
>>>>>> googling this mailing list.
>>>>>>
>>>>>> I'm newbie using RT. I'm installing an organizational RT (ver. 
>>>>>> 3.8.2). We have some departments that are autonomous of each 
>>>>>> other. Thus, I want to grant some privileges for every admin group 
>>>>>> of each department. I want to allow them to handle their own 
>>>>>> queues, groups, etc. But I also want not to allow them to modify 
>>>>>> others space. I have achieved this configuration, i.e. admins are 
>>>>>> only able to see their groups, admins can see all queues but they 
>>>>>> are only allowed to modify some properties (Cc, AdminCc,...)  of 
>>>>>> their own queues but not other queues. In order to do that I have 
>>>>>> granted them the global right "ShowConfigTab". Otherwise they had 
>>>>>> rights but they couldn't use them (they couldn't modify group 
>>>>>> membership of their groups,...).
>>>>>>
>>>>>> The problem I'm suffering is this: When I grant the 
>>>>>> "ShowConfigTab" right to a user or group, I'm also granting 
>>>>>> privileges to modify the global RT at a glance. Let me show an 
>>>>>> example: Let me create a user foo who can be granted rights ("Let 
>>>>>> this user be granted rights" is checked). This new user isn't a 
>>>>>> member of any group, so he has no right rather than "Everyone" and 
>>>>>> "Privileged". At this moment, global rights for these groups are 
>>>>>> the default (no global right for "Everyone", and only 
>>>>>> "ShowApprovalsTab" for "Privileged"). In some queues "Everyone" 
>>>>>> has two rights "CreateTicket" and "SeeQueue", but as far as I know 
>>>>>> they only grant privileges for creating a new ticket in these 
>>>>>> queues. Let this user be granted the global "ShowConfigTab" right 
>>>>>> ( "Configuration" -> "Global" -> "User Rights", and there foo is 
>>>>>> granted to "ShowConfigTab"). Now let foo log in. This user can see 
>>>>>> the configuration tab, but he can't modify anything since he is 
>>>>>> not allowed to. If he tries to modify anything RT won't allow it 
>>>>>> and foo will read a permission denied message. But if foo goes to 
>>>>>> "Configuration" -> "Global" -> "RT at a glance" and there he 
>>>>>> deletes "QuickCreate", RT allows it saying "Global portlet body 
>>>>>> saved.". Now let the privileged user bar log in. The RT at a 
>>>>>> glance of bar has no longer the "QuickCreate" frame when it 
>>>>>> previously had it. Hence, I don't want to grant foo the right of 
>>>>>> modifying the global RT at a glance!
>>>>>>
>>>>>> Is it the expected behaviour? Am I missing anything or doing 
>>>>>> something wrong?
>>>>>>
>>>>>> Thank you,
>>>>>> Carlos
>>>>>>
>>>>>> _______________________________________________
>>>>>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>>>>>
>>>>>> Community help: http://wiki.bestpractical.com
>>>>>> Commercial support: sales at bestpractical.com
>>>>>>
>>>>>>
>>>>>> Discover RT's hidden secrets with RT Essentials from O'Reilly 
>>>>>> Media. Buy a copy at http://rtbook.bestpractical.com
>>>>>>  _______________________________________________
>>>>>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>>>>>
>>>>>> Community help: http://wiki.bestpractical.com
>>>>>> Commercial support: sales at bestpractical.com
>>>>>>
>>>>>>
>>>>>> Discover RT's hidden secrets with RT Essentials from O'Reilly 
>>>>>> Media. Buy a copy at http://rtbook.bestpractical.com
>>>>>>
>>>>
>>>> -- 
>>>> _______ _______________________________________________________________
>>>> | __ __ | Carlos García Montoro                    Ingeniero 
>>>> Informático
>>>> |_\_Y_/_| Instituto de Física Corpuscular         Centro Mixto CSIC 
>>>> - UV
>>>> |\_] [_/| Servicios Informáticos
>>>> |  [_]  | Edificio Institutos de Investigación        
>>>> cgarcia at ific.uv.es
>>>> |C S I C| Apartado de Correos 22085 E-46071 Valencia  Tel: +34 
>>>> 963543706
>>>> |_______| España / Spain                              Fax: +34 
>>>> 963543488
>>>> <cgarcia.vcf>_______________________________________________
>>>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>>>
>>>> Community help: http://wiki.bestpractical.com
>>>> Commercial support: sales at bestpractical.com
>>>>
>>>>
>>>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>>>> Buy a copy at http://rtbook.bestpractical.com
>>>
> 

-- 
  _______ _______________________________________________________________
| __ __ | Carlos García Montoro                    Ingeniero Informático
|_\_Y_/_| Instituto de Física Corpuscular         Centro Mixto CSIC - UV
|\_] [_/| Servicios Informáticos
|  [_]  | Edificio Institutos de Investigación        cgarcia at ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia  Tel: +34 963543706
|_______| España / Spain                              Fax: +34 963543488
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cgarcia.vcf
Type: text/x-vcard
Size: 441 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090611/d9ef195e/attachment.vcf>


More information about the rt-users mailing list