3.8.4 - Customers able to see tickets for queues they don't have rights on

Justin_Hayes1 · July 8, 2010, 3:18pm

One of my customers has just alerted me to the fact that by doing a certain search they can list tickets they shouldn’t be able to see.

For example they build this search

Status = ‘open’ OR Status = ‘stalled’

in Advanced and they can see rows returned for queues they do not have See Queue and Show Ticket rights for

However if you put ()s round the search it works correctly

(Status = ‘open’ OR Status = ‘stalled’)

This is on 3.8.4 - we’ve got 3.8.8 on a test system and it doesn’t seem to be showing the same problem on there.

Anyone noticed this before??

I use UseSQLForACLChecks = 1. If I turn that off then at least they can’t see things they shouldn’t, but now the search results are very messed up and you might have to page until you can find a visible ticket.

Justin

Justin Hayes
OpenBet Support Manager
justin.hayes@openbet.com

Jesse_Vincent · July 14, 2010, 1:49pm

This is on 3.8.4 - we’ve got 3.8.8 on a test system and it doesn’t seem to be showing the same problem on there.

Anyone noticed this before??

I use UseSQLForACLChecks = 1. If I turn that off then at least they can’t see things they shouldn’t, but now the search results are very messed up and you might have to page until you can find a visible ticket.

I suspect that this is “We’ve fixed a bug in UseSQLForACLChecks” more
than anything else.

There’s a reason (several actually) that we describe UseSQLForACLChecks
as beta

Justin_Hayes1 · July 15, 2010, 6:46am

Thanks Jesse. I know it’s beta, but does fix some other issues so having it on was better than not, if you see what I mean

I’m upgrading to 3.8.8 soon anyway which will fix it.

Justin

Justin Hayes
OpenBet Support Manager
justin.hayes@openbet.comOn 14 Jul 2010, at 14:49, Jesse Vincent wrote:

This is on 3.8.4 - we’ve got 3.8.8 on a test system and it doesn’t seem to be showing the same problem on there.

Anyone noticed this before??

I use UseSQLForACLChecks = 1. If I turn that off then at least they can’t see things they shouldn’t, but now the search results are very messed up and you might have to page until you can find a visible ticket.

I suspect that this is “We’ve fixed a bug in UseSQLForACLChecks” more
than anything else.

There’s a reason (several actually) that we describe UseSQLForACLChecks
as beta