[rt-users] urgent: disable search for new watchers

Ken Crocker kfcrocker at lbl.gov
Fri Jun 19 11:34:15 EDT 2009


Violetta,

    I just thought of an idea, but it would require a bit of work. Why 
not try create some views that have only the info you want these user to 
see and then remove them from RT. They can still get to the RT info thru 
the views, which SHOULD suffice, since they are gonna be creating 
searchs and reports. I'm not sure how your infrastructure is where you 
work, but we have many users that do NOT access RT, but create their own 
SQL reports all the time thru the views. We're on Orcale, but I'm sure 
the same concept is doable with other DB's. I even have some SQL that I 
use to create the views. I'd be MORE than happy to send it to you and 
you can modify the info as per your needs. They even have comments, 
which you can't get to in RT Query. Just a thought.

Kenn
LBNL

On 6/19/2009 1:22 AM, Violetta J. Wawryk wrote:
> Hello,
>
> yes I have to make him priviledged because he is a kind of controll 
> instance who has to see what orders (a ticket is a order) have been made.
>
> Thanks to all who answered. I cannot believe that noone ever thought of 
> this as a security bug.
>
> @Kevin: no I did not grant ShowConfigTab to anyone, to be honest I 
> didn't even know that this one existed.
>
>
>  >Email addresses themselves are considered valuable data by some
>  >people.  In this particular case, it might also reveal customer
>  >contacts (which could be abused for various purposes, not just sending
>  >spam).
>
> @Florian: yes, you are absolutly right.
>
> Since a collegue found another security issue, can anyone tell me an 
> emailadress where to send security issues that should definitly not be 
> public?
>
> Thanks in advance
> Violetta
>
>
> Raed El-Hames schrieb:
>   
>> Violetta;
>>
>> You also made these people privileged (Let this user be granted rights 
>> is ticked), the question is do you want them to be privileged, if these 
>> are your customers then you should untick this and force them into the 
>> restricted SelfService, if you have to have them privileged then by 
>> default they will see the peoples tab, and to restrict that you will 
>> need to add extra code in few places.
>>
>>
>> Regards;
>> Roy
>>
>>
>> Violetta J. Wawryk wrote:
>>     
>>> Hi,
>>>
>>> RT is 3.6.1 on a debian system
>>>
>>> we just found out that in the people section everyone who can login 
>>> can search for people. So a person who has the following rights:
>>>
>>> CreateTicket
>>> ReplyToTicket
>>> SeeQueue
>>> ShowTicket
>>>
>>> can go to the people section and do a search like:
>>>
>>> userid doesn't contain xyz
>>>
>>> he gets all the users of the RT. Since this is a security issue, is 
>>> there anything that I can do to prevent these searches?
>>>
>>> It might be disabled in a newer version, if so which would that be?
>>>
>>> A quick search on the list didn't give me an answer, therefore I have 
>>> to ask this. Sorry if it's been on the list before.
>>>
>>> Quick help is really appreciated, thanks in advance!!!!
>>>
>>> Regards
>>> Violetta
>>>
>>>   
>>>       
>
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090619/806eef5a/attachment.htm>


More information about the rt-users mailing list