One of my customers has just alerted me to the fact that by doing a certain search they can list tickets they shouldn’t be able to see.
For example they build this search
Status = ‘open’ OR Status = ‘stalled’
in Advanced and they can see rows returned for queues they do not have See Queue and Show Ticket rights for
However if you put ()s round the search it works correctly
(Status = ‘open’ OR Status = ‘stalled’)
This is on 3.8.4 - we’ve got 3.8.8 on a test system and it doesn’t seem to be showing the same problem on there.
Anyone noticed this before??
I use UseSQLForACLChecks = 1. If I turn that off then at least they can’t see things they shouldn’t, but now the search results are very messed up and you might have to page until you can find a visible ticket.
OpenBet Support Manager