[rt-users] security issue
Torsten Brumm
torsten.brumm at googlemail.com
Mon Mar 29 09:49:34 EDT 2010
Oh, just read: You granted (globally?) unpriviledged users the right
to see a ticket? Thats heavy....
depending on your need i would suggest to grant ShowTicket only to
Requestor (on Queue Base)
Is it really needed that all users from Company 1 can see tickets
created from someone of Company 1 ?
Torsten
2010/3/29 Tariq Doukkali <tariq.doukkali at autoform.de>:
> Hi all,
>
>
>
> if an unprivileged user click a link to open a ticket, the link below will
> be shown on browser as URL-address:
>
>
>
> https://company.com/SelfService/Display.html?id=493
>
>
>
> but if the user try to copy and past this url-adress in an other browser-tab
> and changes id to 490 as shown below,
>
>
>
> https://company.com/SelfService/Display.html?id=490
>
>
>
> the user is also able to show this ticket too.
>
>
>
> The problem is that we have a different unprivileged user (company 1,
> company 2). Unprivileged users of company 1 should only be able to schow
> their own ticket (not tickets of unprivileged user of company 2), but on RT
> system we can change permissions for the group unprvivileged users, which
> (in our case) includes all user of all companies.
>
>
>
> How can I solve the problem ???
>
>
>
> Many thanks in advance !!!
>
>
>
> Tamodew
>
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>
--
MFG
Torsten Brumm
http://www.brumm.me
http://www.elektrofeld.de
More information about the rt-users
mailing list