[rt-users] Confidentiality issue when customers searching by ticket number

Aurelien Lafranchise aurelien.lafranchise at mobiquithings.com
Fri Sep 20 04:22:40 EDT 2013


You are totally right.

Thanks for your help and the tool that I did not know.

Aurélien Lafranchise
Network Operations Manager
Mob.:  +33 (0)6 03 88 36 26
Fax:    +33 (0)4 83 33 45 61
eMail:  aurelien.lafranchise at mobiquithings.com
Web:   http://www.mobiquithings.com



Le 19 sept. 2013 à 20:20, Ruslan Zakirov <ruz at bestpractical.com> a écrit :

> You should grant ShowTicket via Requestor role for your customers rather than via direct granting to a group.
> 
> Use http://search.cpan.org/~ruz/RT-Extension-Utils-0.06/sbin/rt-check-user-right-on-ticket to check how particular user gets a right to a ticket.
> 
> 
> On Thu, Sep 19, 2013 at 3:08 PM, Aurelien Lafranchise <aurelien.lafranchise at mobiquithings.com> wrote:
> Hello all,
> 
> I am facing a confidentiality problem on my RT instance.
> 
> My customers have access to RT to create ticket. In the interface they have a search field they can use to go to a ticket number. The problem is that they can put a ticket number and see the ticket even if it not one of their tickets.
> 
> I cannot find anywhere in the documentation or google any start of explanation on that.
> 
> Also all my customers are under the same group.
> 
> Thanks for your help
> Regards.
> 
> AL
> 
> --
> RT Training in New York, October 8th and 9th: http://bestpractical.com/training
> 
> 
> 
> -- 
> Best regards, Ruslan.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20130920/79b9c5d5/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: MBQT_signature.png
Type: image/png
Size: 10817 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20130920/79b9c5d5/attachment.png>


More information about the rt-users mailing list