[rt-users] Lockdown CC and AdminCC

Matt Zagrabelny mzagrabe at d.umn.edu
Mon Aug 24 17:00:43 EDT 2015


On Mon, Aug 24, 2015 at 3:55 PM, Bill Cole
<rtusers-20090205 at billmail.scconsult.com> wrote:
> On 24 Aug 2015, at 15:40, Matt Zagrabelny wrote:
>
>> On Mon, Aug 24, 2015 at 2:02 PM, Joseph D. Wagner
>> <joe at josephdwagner.info> wrote:
>>>>
>>>> What do you mean by "without logins"? The email address needs
>>>> to correspond to a user that already exists on the system?
>>>
>>>
>>> Yes.  Here's what happened.  A privileged user entered an external email
>>> address into the CC field, which did not have an account.  RT autocreated an
>>> account for that person, and it accepted that external email address on the
>>> CC field.  I need to prevent that.
>>>
>>> How can I limit CC and AdminCC to email addresses that already have
>>> accounts?  Either rejecting the ticket or silently failing to add the
>>> CC/AdminCC email address would be acceptable.
>>
>>
>> Use a callback.
>>
>> Do you know what those are?
>
>
>
> Specifically: You can use the BeforeCreate callback to prevent accidental
> creation of . It is available in Ticket/Create.html,
> SelfService/Create.html, and m/ticket/create. It is NOT available for the
> "QuickCreate" widget, so users of that widget could add bogus Requestors at
> will.

For reference, BestPractical is not averse to accepting patches which
have new callback hooks. It would probably be a one-liner to add a
callback hook to the QuickCreate widget.

-m



More information about the rt-users mailing list