403 Forbidden message when adding local customisations

RT Users
1

We are upgrading RT from 3.8.7 to 4.0.5.

We have some mason customisations under /usr/local/share/request-trackerx/html/Ticket/Elements. These work fine under 3.8.7 but under 4.0.5 we are receiving a 403 Forbidden message and a blank screen.

The functionality of the customizations is such that a separate form containing custom fields are added to a ticket. When this form is submitted a new ticket should be created in a different queue, however the 403 and blank screen is being returned instead. The same mason file - /usr/local/share/request-tracker4/html/Ticket/Elements/ManageInventoryItems - is used to add the custom fields and is then posted back to itself as http://rt-url/Ticket/Elements/ManageInventoryItems

RT is obviously able to find the file and access it in order to add the customised form but when it tries to post back to itself the error is occurring.

We have tried adding the following directive to the /etc/request-tracker4/libapache2-mod-perl2 config:

<Directory /usr/local/share/request-tracker4/html>
Order Allow,Deny
Allow from all

This makes the entire libapache2-mod-perl2 config:
PerlSetEnv RT_SITE_CONFIG /etc/request-tracker4/RT_SiteConfig.pm

Alias / /usr/share/request-tracker4/html

<Directory /usr/local/share/request-tracker4/html>
Order Allow,Deny
Allow from all

SetHandler modperl PerlResponseHandler Plack::Handler::Apache2 PerlSetVar psgi_app /usr/share/request-tracker4/libexec/rt-server

Limit mail gateway access to localhost by default

<Location /REST/1.0/NoAuth>
Order Allow,Deny
Allow from 127.0.0.1

use Plack::Handler::Apache2; Plack::Handler::Apache2->preload("/usr/share/request-tracker4/libexec/rt-server");

We have Set($LogToFile, ‘debug’) in RT_SiteConfig.pm but are seeing nothing in the RT error logs.
We have ‘LogLevel debug’ in apache2.conf and the only error we are seeing in the apache error log is the 403.

All file and directory permissions appear to be the same as the 3.8.7 installation. There are no .htaccess files.
We have also played around with the file’s owners and groups with no success.

We have also tried playing around with user and group access from within the RT user interface.

Have there been changes made in version 4 that would cause this to fail? Is there a way of getting more error messages out of Apache or RT? Any other suggestions?

Thank-you,
Jenni.

2

We are upgrading RT from 3.8.7 to 4.0.5.

We have some mason customisations under /usr/local/share/request-
trackerx/html/Ticket/Elements. These work fine under 3.8.7 but under
4.0.5 we are receiving a 403 Forbidden message and a blank screen.

The functionality of the customizations is such that a separate form
containing custom fields are added to a ticket. When this form is
submitted a new ticket should be created in a different queue, however
the 403 and blank screen is being returned instead. The same mason
file - /usr/local/share/request-
tracker4/html/Ticket/Elements/ManageInventoryItems - is used to add
the custom fields and is then posted back to itself as http://rt-
url/Ticket/Elements/ManageInventoryItems

RT does not allow direct access to Elements, _elements, Widgets and a
few other files. This is a security issue since there are files in
Elements/ that do not expect to be accessed directly. It’s simpler
for RT to just deny direct access to these files.

If you’d applied the security patches from last year to your 3.8.7
http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000187.html
you would have run into the same failure.

Move your custom form to something other than Elements, such as
Tickets/CustomForms/ and you’ll be fine.

-kevin

3

We are upgrading RT from 3.8.7 to 4.0.5.

We have some mason customisations under /usr/local/share/request-
trackerx/html/Ticket/Elements. These work fine under 3.8.7 but under
4.0.5 we are receiving a 403 Forbidden message and a blank screen.

The functionality of the customizations is such that a separate form
containing custom fields are added to a ticket. When this form is
submitted a new ticket should be created in a different queue, however
the 403 and blank screen is being returned instead. The same mason
file - /usr/local/share/request-
tracker4/html/Ticket/Elements/ManageInventoryItems - is used to add
the custom fields and is then posted back to itself as http://rt-
url/Ticket/Elements/ManageInventoryItems

RT does not allow direct access to Elements, _elements, Widgets and a
few other files. This is a security issue since there are files in
Elements/ that do not expect to be accessed directly. It’s simpler
for RT to just deny direct access to these files.

If you’d applied the security patches from last year to your 3.8.7
[Rt-announce] Security vulnerabilities in RT
you would have run into the same failure.

Move your custom form to something other than Elements, such as
Tickets/CustomForms/ and you’ll be fine.

That was the problem. Thanks for your help.

Jenni.