[rt-users] Lockdown CC and AdminCC

[Bill Cole]

On 24 Aug 2015, at 15:40, Matt Zagrabelny wrote:

> On Mon, Aug 24, 2015 at 2:02 PM, Joseph D. Wagner
> <joe at josephdwagner.info> wrote:
>>> What do you mean by "without logins"? The email address needs
>>> to correspond to a user that already exists on the system?
>>
>> Yes.  Here's what happened.  A privileged user entered an external 
>> email address into the CC field, which did not have an account.  RT 
>> autocreated an account for that person, and it accepted that external 
>> email address on the CC field.  I need to prevent that.
>>
>> How can I limit CC and AdminCC to email addresses that already have 
>> accounts?  Either rejecting the ticket or silently failing to add the 
>> CC/AdminCC email address would be acceptable.
>
> Use a callback.
>
> Do you know what those are?


Specifically: You can use the BeforeCreate callback to prevent 
accidental creation of . It is available in Ticket/Create.html, 
SelfService/Create.html, and m/ticket/create. It is NOT available for 
the "QuickCreate" widget, so users of that widget could add bogus 
Requestors at will. Anyone who can add ad hoc recipients to ticket 
updates share the ability to add users to RT, so you may want to find a 
callback in the Update pages as well. If controlling user creation by 
gatekeeping many different paths of ticket modification seems like a 
shoddy approach to you, you are not wrong. In RT's defense, its 
eagerness to add new users whenever it sees a new email address is 
rooted in the days before spam from random addresses to random addresses 
and via random compromised web applications was a widespread problem.

If you use ExternalAuth, setting AutoCreateNonExternalUsers to 0 seems 
to be an option that would block creation of users not in one of your 
configured external auth sources, but it may have undesirable 
side-effects. If you want random strangers to be able to send your RT 
mail that opens new tickets, you are stuck with gatekeeping other paths 
to user auto-creation.