[rt-users] RT (4.0.18) search engine is leaking informations about unallowed tickets
Kevin Falcone
falcone at bestpractical.com
Fri Dec 13 10:50:53 EST 2013
On Fri, Dec 13, 2013 at 04:06:20PM +0100, benoit plessis wrote:
> I'm experiencing something weird with the latest 4.0.xx release, when some low privileges
> users search for tickets RT give away of unwanted informations.
>
> Example: the default dashboard search for unowned tickets display "70 tickets found" in the
> title part, include a two-pages navigation, but only display 1 ticket, the only one the user
> is allowed to see.
>
> This also break the dashboard view, since the first ten tickets aren't accessible the view is
> empty.
> I'm not sure if it's a recent change or not since up to now all of our users had at least
> readonly access to all of the queues/tickets.
http://bestpractical.com/docs/rt/latest/RT_Config.html#UseSQLForACLChecks
Off on 4.0, on on 4.2. You sound like you want to turn it on.
-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 235 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20131213/1a21c623/attachment.sig>
More information about the rt-users
mailing list