[rt-users] Non-Privileged User can create requestors for other users

Ruslan Zakirov ruz at bestpractical.com
Mon Apr 30 10:00:51 EDT 2012


On Fri, Apr 27, 2012 at 22:38, Lee Wilson <leefm40 at yahoo.co.uk> wrote:
> Good Evening,
>
> I was experimenting with RT (4.0.5) last night and found that it was
> possible for a non-privileged user to create tickets via the web interface
> for another user regardless of if they exist or not.
>
> Once the ticket is created the user gets a "no permissions to view this
> ticket" message so some security is going on.
>
> Would someone be so kind as to answer a few questions about this:
>
> 1) Is what I've said correct and if so is it possible to stop it without
> custom coding? I'd like to restrict users to only creating tickets for
> themselves, not anyone else.
>
> No problem if I do have to code something but wanted if there was an easier
> solution.
>
> 2) How can I stop random new users being created when they are added as
> requestors ? I'd prefer if only users I manually create are able to create
> tickets.
>
> There were a few older threads (from 2003 -
> http://www.gossamer-threads.com/lists/rt/users/17680)  that referred to
> external Auth or removing the create ticket right from both Unprivileged and
> Everyone but this is already setup by default from what I can tell.
>
> If this can't be done I guess an OnCreate scrip that would auto-close the
> ticket with some kind of message template informing the request why would do
> the trick.
>
> Thanks in advance


You can achieve this slight modification to MandatoryRequestor extension[1].

[1] http://search.cpan.org/dist/RT-Extension-MandatoryRequestor/lib/RT/Extension/MandatoryRequestor.pm


>
> Lee



-- 
Best regards, Ruslan.



More information about the rt-users mailing list