[rt-users] 403 Forbidden message when adding local customisations
Jenni Wilson
jenni.wilson at strategicdata.com.au
Thu May 10 00:23:46 EDT 2012
On 10/05/2012, at 11:48 AM, Kevin Falcone wrote:
> On Thu, May 10, 2012 at 10:51:18AM +1000, Jenni Wilson wrote:
>> We are upgrading RT from 3.8.7 to 4.0.5.
>>
>> We have some mason customisations under /usr/local/share/request-
>> trackerx/html/Ticket/Elements. These work fine under 3.8.7 but under
>> 4.0.5 we are receiving a 403 Forbidden message and a blank screen.
>
>>
>> The functionality of the customizations is such that a separate form
>> containing custom fields are added to a ticket. When this form is
>> submitted a new ticket should be created in a different queue, however
>> the 403 and blank screen is being returned instead. The same mason
>> file - /usr/local/share/request-
>> tracker4/html/Ticket/Elements/ManageInventoryItems - is used to add
>> the custom fields and is then posted back to itself as http://rt-
>> url/Ticket/Elements/ManageInventoryItems
>
> RT does not allow direct access to Elements, _elements, Widgets and a
> few other files. This is a security issue since there are files in
> Elements/ that do not expect to be accessed directly. It's simpler
> for RT to just deny direct access to these files.
>
> If you'd applied the security patches from last year to your 3.8.7
> http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000187.html
> you would have run into the same failure.
>
> Move your custom form to something other than Elements, such as
> Tickets/CustomForms/ and you'll be fine.
>
That was the problem. Thanks for your help.
Jenni.
More information about the rt-users
mailing list