[rt-users] Non-Privileged User can create requestors for other users

Lee Wilson leefm40 at yahoo.co.uk
Fri Apr 27 14:38:45 EDT 2012


Good Evening,

I was experimenting with RT (4.0.5) last night and found that it was 
possible for a non-privileged user to create tickets via the web 
interface for another user regardless of if they exist or not.

Once the ticket is created the user gets a "no permissions to view this 
ticket" message so some security is going on.

Would someone be so kind as to answer a few questions about this:

1) Is what I've said correct and if so is it possible to stop it without 
custom coding? I'd like to restrict users to only creating tickets for 
themselves, not anyone else.

No problem if I do have to code something but wanted if there was an 
easier solution.

2) How can I stop random new users being created when they are added as 
requestors ? I'd prefer if only users I manually create are able to 
create tickets.

There were a few older threads (from 2003 - 
http://www.gossamer-threads.com/lists/rt/users/17680)  that referred to 
external Auth or removing the create ticket right from both Unprivileged 
and Everyone but this is already setup by default from what I can tell.

If this can't be done I guess an OnCreate scrip that would auto-close 
the ticket with some kind of message template informing the request why 
would do the trick.

Thanks in advance

Lee



More information about the rt-users mailing list