[rt-users] User able to view, comment, reply to tickets not belonging to themselves
Bill Cole
rtusers-20090205 at billmail.scconsult.com
Fri Mar 13 10:08:20 EDT 2015
On 12 Mar 2015, at 18:41, Michael Jablonski wrote:
> Hello everyone,
>
> I currently have RT 4.2.9 installed. I have the ability for our
> customers to log in and view their open and resolved tickets. This all
> works great and they can comment, reply and change the status on their
> tickets. However my issue is this: in the URL
> "domain.tld/SelfService/Display.html?id= 1503120001 ". After the id=
> it displays the ticket number.
> If I am a cleaver user I can easily understand the ticketing number
> and change it to 1503110001 and see the ticket that belongs to someone
> else, and they have the ability to comment, reply etc.
>
> I am looking for a way to either
> 1) Not have the ticket number displayed in the URL
Entirely infeasible, also not a solution, since it only slightly raises
the cleverness bar. RT depends on having unique URLs for tickets.
> 2) Not have the ability to view other tickets that do not belong to
> the user logged in
That's what you get with the default Rights configuration. You may have
assigned overly-permissive Rights to the System groups "Everyone"
and/or "Unprivileged." On the Admin/Global/GroupRights.html page,
uncheck 'View ticket summaries' (ShowTicket) for those groups.
Unprivileged users should only get a ShowTicket Right by way of having a
Requestor or Cc role. You should also confirm that those roles DO have
it granted.
More information about the rt-users
mailing list