[rt-users] RT (4.0.18) search engine is leaking informations about unallowed tickets
benoit plessis
plessis.benoit at gmail.com
Sun Dec 15 09:11:33 EST 2013
Oh yes thanks.
2013/12/13 Kevin Falcone <falcone at bestpractical.com>
> On Fri, Dec 13, 2013 at 04:06:20PM +0100, benoit plessis wrote:
> > I'm experiencing something weird with the latest 4.0.xx release, when
> some low privileges
> > users search for tickets RT give away of unwanted informations.
> >
> > Example: the default dashboard search for unowned tickets display "70
> tickets found" in the
> > title part, include a two-pages navigation, but only display 1
> ticket, the only one the user
> > is allowed to see.
> >
> > This also break the dashboard view, since the first ten tickets
> aren't accessible the view is
> > empty.
> > I'm not sure if it's a recent change or not since up to now all of
> our users had at least
> > readonly access to all of the queues/tickets.
>
> http://bestpractical.com/docs/rt/latest/RT_Config.html#UseSQLForACLChecks
>
> Off on 4.0, on on 4.2. You sound like you want to turn it on.
>
> -kevin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20131215/301dd73f/attachment.htm>
More information about the rt-users
mailing list