Address handling, and ticket creation from the web

While working on my own customizations of RT 3.6.1, I’ve noticed
a bad interaction between the handling of e-mail addresses and
ticket creation.

The problem arises if a user’s e-mail address has one of the
fancier forms, like “Last, First”, and
the user creates a ticket through the web interface.

The web interface puts the address in the Requestor field, and
the value from this field is passed to
RT::User_Overlay::LoadOrCreateByEmail to get the User object.

This works fine for simple addresses that look like

But with a more complicated address like
“Last, First”, the real address part gets
extracted, yielding “”, and this part of
the address is what’s passed to the LoadByEmail method. The look-up
fails, because the database contains the full address, not just this
part. Then, because the look-up failed, a new user record is created,
with “Last, First” as the user name, and “
as the e-mail address.

This is bad in several ways:

  1. An unnecessary user account gets created.
  2. The user that account is for doesn’t know it exists.
  3. The new ticket is linked to the new account, not the one
    the user knows how to access.
  4. So the user doesn’t see the new ticket under “Open Tickets”,
    and either tries again, or concludes that the system doesn’t work.

One work-around I see is to put a CanonicalizeUserInfo method
in that makes sure that only the real address goes
into the database. If we strip the extra info at the entry stage as
well as the look-up stage, the look-up will succeed.

But it seems to me that the real problem is that the web interface is
trying to make use of the API that’s designed for the mail gateway. I
don’t see any reason why the web interface should be relying on
looking up the user’s email address: it already knows the user ID,
and it should be able to pass that ID to the CreateTicket routine.

In fact, a minor side-effect of this design is that it’s easy to forge
the Creator of a ticket: since the Requestor field can be edited by
users, they can change it to anything they want, including another
user’s address. I just tried this, and it worked fine. This isn’t
terribly important (and a user who really wants to can always forge
an e-mail message as well), but still, I’d happy with a system that
always linked a new ticket with the user who actually created it …

So, am I missing something here?
Has anyone got a solution in hand?
Or should I add this to my list of things to customize?



To answer to my own question:

Reading the code some more this morning revealed that CreateTicket can
handle a numeric user ID in the Requestors field, as well as e-mail

This means that it’s easy to change the interface to get the behavior
I prefer.

Here’s patch, in case anyone else likes the idea:


create_diff.patch (1.07 KB)