[rt-users] urgent: disable search for new watchers

Raed El-Hames rfh at vialtus.com
Thu Jun 18 12:57:15 EDT 2009


Violetta;

You also made these people privileged (Let this user be granted rights 
is ticked), the question is do you want them to be privileged, if these 
are your customers then you should untick this and force them into the 
restricted SelfService, if you have to have them privileged then by 
default they will see the peoples tab, and to restrict that you will 
need to add extra code in few places.


Regards;
Roy


Violetta J. Wawryk wrote:
> Hi,
>
> RT is 3.6.1 on a debian system
>
> we just found out that in the people section everyone who can login can 
> search for people. So a person who has the following rights:
>
> CreateTicket
> ReplyToTicket
> SeeQueue
> ShowTicket
>
> can go to the people section and do a search like:
>
> userid doesn't contain xyz
>
> he gets all the users of the RT. Since this is a security issue, is 
> there anything that I can do to prevent these searches?
>
> It might be disabled in a newer version, if so which would that be?
>
> A quick search on the list didn't give me an answer, therefore I have to 
> ask this. Sorry if it's been on the list before.
>
> Quick help is really appreciated, thanks in advance!!!!
>
> Regards
> Violetta
>
>   



More information about the rt-users mailing list