[rt-users] security issue
Tariq Doukkali
tariq.doukkali at autoform.de
Tue Mar 30 04:22:30 EDT 2010
Hi Torsten,
Many thanks for your help. It is working fine now !!!
Vielen Dank !!!
Best regards,
Tariq
-----Ursprüngliche Nachricht-----
Von: Torsten Brumm [mailto:torsten.brumm at googlemail.com]
Gesendet: Montag, 29. März 2010 15:50
An: Tariq Doukkali
Cc: rt-users at lists.bestpractical.com
Betreff: Re: [rt-users] security issue
Oh, just read: You granted (globally?) unpriviledged users the right
to see a ticket? Thats heavy....
depending on your need i would suggest to grant ShowTicket only to
Requestor (on Queue Base)
Is it really needed that all users from Company 1 can see tickets
created from someone of Company 1 ?
Torsten
2010/3/29 Tariq Doukkali <tariq.doukkali at autoform.de>:
> Hi all,
>
>
>
> if an unprivileged user click a link to open a ticket, the link below will
> be shown on browser as URL-address:
>
>
>
> https://company.com/SelfService/Display.html?id=493
>
>
>
> but if the user try to copy and past this url-adress in an other browser-tab
> and changes id to 490 as shown below,
>
>
>
> https://company.com/SelfService/Display.html?id=490
>
>
>
> the user is also able to show this ticket too.
>
>
>
> The problem is that we have a different unprivileged user (company 1,
> company 2). Unprivileged users of company 1 should only be able to schow
> their own ticket (not tickets of unprivileged user of company 2), but on RT
> system we can change permissions for the group unprvivileged users, which
> (in our case) includes all user of all companies.
>
>
>
> How can I solve the problem ???
>
>
>
> Many thanks in advance !!!
>
>
>
> Tamodew
>
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>
--
MFG
Torsten Brumm
http://www.brumm.me
http://www.elektrofeld.de
More information about the rt-users
mailing list