[rt-users] Rights issue on Configuration -> Global -> RT at a glance on RT 3.8.2
Carlos Garcia Montoro
cgarcia at ific.uv.es
Thu Jun 11 05:23:08 EDT 2009
PS: It seems to me that Shawn Moore also worked on fixing it.
Carlos
Carlos Garcia Montoro wrote:
> Jo and Kenn,
>
> Thank you for your comments about this issue. In the end it was a bug of
> RT. Fortunately, I created a ticket on http://rt3.fsck.com/ and the
> people from Best Practical (I think that they were Kevin Falcone and
> Jesse Vincent) put their hands on it immediately and they have just
> solved this /*security bug*/.
>
> This is part of the message posted by Kevin Falcone:
> >The most important fix is that RT now requires the SuperUser
> >right to edit global RT at a Glance. In all previous 3.8
> >releases, the "ShowConfigTab" right unintentionally enabled this.
> >If you have not granted this right to any non-administrative user,
> >then this issue should not affect you.
>
> You can read the whole in the message "RT 3.8.4 Released" written by
> Kevin. So, you probably should consider either to patch your current
> installation or to upgrade it.
>
> Kenn, Jo, thank you again for your help and comments, and thanks to the
> people of bestpractical.
>
> Best wishes,
> Carlos
>
> Ken Crocker wrote:
>> Carlos,
>>
>> I'm with Jo on this one. We are on 3.6.4 and I have over 100 users
>> and the majority of them do /*NOT*/ have the "ShowConfigTab" right yet
>> they /*ALL*/ can modify their "RT at a Glance" settings.
>>
>>
>> Kenn
>> LBNL
>>
>> On 6/5/2009 3:13 AM, Jo Rhett wrote:
>>> Are you sure it's the global RT At a Glance? It seems everyone can
>>> modify it for themselves...
>>>
>>> On Jun 5, 2009, at 12:55 AM, Carlos Garcia Montoro wrote:
>>>> Hi Kenn, hi everybody,
>>>>
>>>> Thank you for your answer. I was expecting the same behaviour as
>>>> you. But for my unpleasant surprise, a user who only has
>>>> - "ShowConfigTab" global right for himself.
>>>> - "ShowAprovalsTab" global right for Privileged users. And
>>>> - "CreateTicket" and "SeeQueue" in some queues as Everyone's rights
>>>> in those queues.
>>>> can do nothing harmful with the single exception of modifying the
>>>> global RT at a glance.
>>>>
>>>> This behaviour has surprised me probably as much as you. Because of
>>>> it, I want that someone else checks this configuration in order to
>>>> see whether it is my fault (I am doing something wrong) or it is a
>>>> RT bug (this happens to everybody, but it shouldn't).
>>>>
>>>> Greetings,
>>>> Carlos
>>>>
>>>> PS: I found somewhere a RT installation for testing purposes, but
>>>> users grants, including root, where so restricted, that I couldn't
>>>> reproduce the configuration I wanted.
>>>>
>>>> Ken Crocker wrote:
>>>>> Carlos,
>>>>> I may be mistaken, butI think the "ShowConfigTab" merely allows
>>>>> the user to see that tab and the functions under it. The user still
>>>>> needs to have other rights (like "ShowTemplate" and
>>>>> "ModifyTemplate") in order to see/modify templates and I'm sure the
>>>>> same situation exists for other objects to be modified.
>>>>> Kenn
>>>>> LBNL
>>>>> On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote:
>>>>>> Sorry for posting this twice, but I'm trying to make it shorter.
>>>>>>
>>>>>> Please, can anyone confirm me that a user who only has the global
>>>>>> right "ShowConfigTab" is able to modify the global RT at a glance?
>>>>>>
>>>>>> I'm using RT 3.8.2 and I would like to know if either I'm doing
>>>>>> something wrong or this is the expected behaviour. If this were
>>>>>> the second case, should this be considered a bug?
>>>>>>
>>>>>> For a longer explanation, attached you can find my previous message.
>>>>>>
>>>>>> Thanking you in advance,
>>>>>> Carlos
>>>>>>
>>>>>> ------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> Subject:
>>>>>> [rt-users] Rights issue on Configuration -> Global -> RT at a
>>>>>> glance on RT 3.8.2
>>>>>> From:
>>>>>> Carlos Garcia Montoro <cgarcia at ific.uv.es>
>>>>>> Date:
>>>>>> Fri, 29 May 2009 12:18:06 +0200
>>>>>> To:
>>>>>> rt-users at lists.bestpractical.com
>>>>>>
>>>>>> To:
>>>>>> rt-users at lists.bestpractical.com
>>>>>>
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I've a question/request about RT that I have been neither able to
>>>>>> resolve from myself, nor have I found it at the RT wiki or
>>>>>> googling this mailing list.
>>>>>>
>>>>>> I'm newbie using RT. I'm installing an organizational RT (ver.
>>>>>> 3.8.2). We have some departments that are autonomous of each
>>>>>> other. Thus, I want to grant some privileges for every admin group
>>>>>> of each department. I want to allow them to handle their own
>>>>>> queues, groups, etc. But I also want not to allow them to modify
>>>>>> others space. I have achieved this configuration, i.e. admins are
>>>>>> only able to see their groups, admins can see all queues but they
>>>>>> are only allowed to modify some properties (Cc, AdminCc,...) of
>>>>>> their own queues but not other queues. In order to do that I have
>>>>>> granted them the global right "ShowConfigTab". Otherwise they had
>>>>>> rights but they couldn't use them (they couldn't modify group
>>>>>> membership of their groups,...).
>>>>>>
>>>>>> The problem I'm suffering is this: When I grant the
>>>>>> "ShowConfigTab" right to a user or group, I'm also granting
>>>>>> privileges to modify the global RT at a glance. Let me show an
>>>>>> example: Let me create a user foo who can be granted rights ("Let
>>>>>> this user be granted rights" is checked). This new user isn't a
>>>>>> member of any group, so he has no right rather than "Everyone" and
>>>>>> "Privileged". At this moment, global rights for these groups are
>>>>>> the default (no global right for "Everyone", and only
>>>>>> "ShowApprovalsTab" for "Privileged"). In some queues "Everyone"
>>>>>> has two rights "CreateTicket" and "SeeQueue", but as far as I know
>>>>>> they only grant privileges for creating a new ticket in these
>>>>>> queues. Let this user be granted the global "ShowConfigTab" right
>>>>>> ( "Configuration" -> "Global" -> "User Rights", and there foo is
>>>>>> granted to "ShowConfigTab"). Now let foo log in. This user can see
>>>>>> the configuration tab, but he can't modify anything since he is
>>>>>> not allowed to. If he tries to modify anything RT won't allow it
>>>>>> and foo will read a permission denied message. But if foo goes to
>>>>>> "Configuration" -> "Global" -> "RT at a glance" and there he
>>>>>> deletes "QuickCreate", RT allows it saying "Global portlet body
>>>>>> saved.". Now let the privileged user bar log in. The RT at a
>>>>>> glance of bar has no longer the "QuickCreate" frame when it
>>>>>> previously had it. Hence, I don't want to grant foo the right of
>>>>>> modifying the global RT at a glance!
>>>>>>
>>>>>> Is it the expected behaviour? Am I missing anything or doing
>>>>>> something wrong?
>>>>>>
>>>>>> Thank you,
>>>>>> Carlos
>>>>>>
>>>>>> _______________________________________________
>>>>>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>>>>>
>>>>>> Community help: http://wiki.bestpractical.com
>>>>>> Commercial support: sales at bestpractical.com
>>>>>>
>>>>>>
>>>>>> Discover RT's hidden secrets with RT Essentials from O'Reilly
>>>>>> Media. Buy a copy at http://rtbook.bestpractical.com
>>>>>> _______________________________________________
>>>>>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>>>>>
>>>>>> Community help: http://wiki.bestpractical.com
>>>>>> Commercial support: sales at bestpractical.com
>>>>>>
>>>>>>
>>>>>> Discover RT's hidden secrets with RT Essentials from O'Reilly
>>>>>> Media. Buy a copy at http://rtbook.bestpractical.com
>>>>>>
>>>>
>>>> --
>>>> _______ _______________________________________________________________
>>>> | __ __ | Carlos García Montoro Ingeniero
>>>> Informático
>>>> |_\_Y_/_| Instituto de Física Corpuscular Centro Mixto CSIC
>>>> - UV
>>>> |\_] [_/| Servicios Informáticos
>>>> | [_] | Edificio Institutos de Investigación
>>>> cgarcia at ific.uv.es
>>>> |C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34
>>>> 963543706
>>>> |_______| España / Spain Fax: +34
>>>> 963543488
>>>> <cgarcia.vcf>_______________________________________________
>>>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>>>
>>>> Community help: http://wiki.bestpractical.com
>>>> Commercial support: sales at bestpractical.com
>>>>
>>>>
>>>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>>>> Buy a copy at http://rtbook.bestpractical.com
>>>
>
--
_______ _______________________________________________________________
| __ __ | Carlos García Montoro Ingeniero Informático
|_\_Y_/_| Instituto de Física Corpuscular Centro Mixto CSIC - UV
|\_] [_/| Servicios Informáticos
| [_] | Edificio Institutos de Investigación cgarcia at ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34 963543706
|_______| España / Spain Fax: +34 963543488
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cgarcia.vcf
Type: text/x-vcard
Size: 441 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090611/d9ef195e/attachment.vcf>
More information about the rt-users
mailing list