[rt-users] 403 Forbidden message when adding local customisations

Jenni Wilson jenni.wilson at strategicdata.com.au
Thu May 10 00:23:46 EDT 2012


On 10/05/2012, at 11:48 AM, Kevin Falcone wrote:

> On Thu, May 10, 2012 at 10:51:18AM +1000, Jenni Wilson wrote:
>> We are upgrading RT from 3.8.7 to 4.0.5.
>> 
>> We have some mason customisations under /usr/local/share/request-
>> trackerx/html/Ticket/Elements. These work fine under 3.8.7 but under
>> 4.0.5 we are receiving a 403 Forbidden message and a blank screen.
> 
>> 
>> The functionality of the customizations is such that a separate form
>> containing custom fields are added to a ticket. When this form is
>> submitted a new ticket should be created in a different queue, however
>> the 403 and blank screen is being returned instead. The same mason
>> file - /usr/local/share/request-
>> tracker4/html/Ticket/Elements/ManageInventoryItems - is used to add
>> the custom fields and is then posted back to itself as http://rt-
>> url/Ticket/Elements/ManageInventoryItems
> 
> RT does not allow direct access to Elements, _elements, Widgets and a
> few other files.  This is a security issue since there are files in
> Elements/ that do not expect to be accessed directly.  It's simpler
> for RT to just deny direct access to these files.
> 
> If you'd applied the security patches from last year to your 3.8.7
> http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000187.html
> you would have run into the same failure.
> 
> Move your custom form to something other than Elements, such as
> Tickets/CustomForms/ and you'll be fine.
> 

That was the problem. Thanks for your help.

Jenni.




More information about the rt-users mailing list