[rt-users] RT (4.0.18) search engine is leaking informations about unallowed tickets

Kevin Falcone falcone at bestpractical.com
Fri Dec 13 10:50:53 EST 2013


On Fri, Dec 13, 2013 at 04:06:20PM +0100, benoit plessis wrote:
>    I'm experiencing something weird with the latest 4.0.xx release, when some low privileges
>    users search for tickets RT give away of unwanted informations.
> 
>    Example: the default dashboard search for unowned tickets display "70 tickets found" in the
>    title part, include a two-pages navigation, but only display 1 ticket, the only one the user
>    is allowed to see.
> 
>    This also break the dashboard view, since the first ten tickets aren't accessible the view is
>    empty.
>    I'm not sure if it's a recent change or not since up to now all of our users had at least
>    readonly access to all of the queues/tickets.

http://bestpractical.com/docs/rt/latest/RT_Config.html#UseSQLForACLChecks

Off on 4.0, on on 4.2.  You sound like you want to turn it on.

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 235 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20131213/1a21c623/attachment.sig>


More information about the rt-users mailing list