[rt-users] RT (4.0.18) search engine is leaking informations about unallowed tickets

benoit plessis plessis.benoit at gmail.com
Sun Dec 15 09:11:33 EST 2013


Oh yes thanks.


2013/12/13 Kevin Falcone <falcone at bestpractical.com>

> On Fri, Dec 13, 2013 at 04:06:20PM +0100, benoit plessis wrote:
> >    I'm experiencing something weird with the latest 4.0.xx release, when
> some low privileges
> >    users search for tickets RT give away of unwanted informations.
> >
> >    Example: the default dashboard search for unowned tickets display "70
> tickets found" in the
> >    title part, include a two-pages navigation, but only display 1
> ticket, the only one the user
> >    is allowed to see.
> >
> >    This also break the dashboard view, since the first ten tickets
> aren't accessible the view is
> >    empty.
> >    I'm not sure if it's a recent change or not since up to now all of
> our users had at least
> >    readonly access to all of the queues/tickets.
>
> http://bestpractical.com/docs/rt/latest/RT_Config.html#UseSQLForACLChecks
>
> Off on 4.0, on on 4.2.  You sound like you want to turn it on.
>
> -kevin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20131215/301dd73f/attachment.htm>


More information about the rt-users mailing list