[rt-users] security issue

Torsten Brumm torsten.brumm at googlemail.com
Mon Mar 29 09:49:34 EDT 2010


Oh, just read: You granted (globally?) unpriviledged users the right
to see a ticket? Thats heavy....

depending on your need i would suggest to grant ShowTicket only to
Requestor (on Queue Base)

Is it really needed that all users from Company 1 can see tickets
created from someone of Company 1 ?

Torsten

2010/3/29 Tariq Doukkali <tariq.doukkali at autoform.de>:
> Hi all,
>
>
>
> if an unprivileged user click  a link to open a ticket, the link below will
> be shown on browser as URL-address:
>
>
>
> https://company.com/SelfService/Display.html?id=493
>
>
>
> but if the user try to copy and past this url-adress in an other browser-tab
> and changes id to 490 as shown below,
>
>
>
> https://company.com/SelfService/Display.html?id=490
>
>
>
> the user is also able to show this ticket too.
>
>
>
> The problem is that we have a different unprivileged user (company 1,
> company 2). Unprivileged users of company 1 should only be able to schow
> their own ticket (not tickets of unprivileged user of company 2), but on RT
> system we can change permissions for the group unprvivileged users, which
> (in our case) includes all user of all companies.
>
>
>
> How can I solve the problem ???
>
>
>
> Many thanks in advance !!!
>
>
>
> Tamodew
>
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>



-- 
MFG

Torsten Brumm

http://www.brumm.me
http://www.elektrofeld.de



More information about the rt-users mailing list