Confidentiality issue when customers searching by ticket number

Hello all,

I am facing a confidentiality problem on my RT instance.

My customers have access to RT to create ticket. In the interface they have a search field they can use to go to a ticket number. The problem is that they can put a ticket number and see the ticket even if it not one of their tickets.

I cannot find anywhere in the documentation or google any start of explanation on that.

Also all my customers are under the same group.

Thanks for your help
Regards.

AL

You should grant ShowTicket via Requestor role for your customers rather
than via direct granting to a group.

Use
http://search.cpan.org/~ruz/RT-Extension-Utils-0.06/sbin/rt-check-user-right-on-ticketto
check how particular user gets a right to a ticket.On Thu, Sep 19, 2013 at 3:08 PM, Aurelien Lafranchise < aurelien.lafranchise@mobiquithings.com> wrote:

Hello all,

I am facing a confidentiality problem on my RT instance.

My customers have access to RT to create ticket. In the interface they
have a search field they can use to go to a ticket number. The problem is
that they can put a ticket number and see the ticket even if it not one of
their tickets.

I cannot find anywhere in the documentation or google any start of
explanation on that.

Also all my customers are under the same group.

Thanks for your help
Regards.

AL


RT Training in New York, October 8th and 9th:
Training — Best Practical Solutions

Best regards, Ruslan.

You are totally right.

Thanks for your help and the tool that I did not know.

Aurélien Lafranchise
Network Operations Manager
Mob.: +33 (0)6 03 88 36 26
Fax: +33 (0)4 83 33 45 61
eMail: aurelien.lafranchise@mobiquithings.com
Web: http://www.mobiquithings.comLe 19 sept. 2013 à 20:20, Ruslan Zakirov ruz@bestpractical.com a écrit :

You should grant ShowTicket via Requestor role for your customers rather than via direct granting to a group.

Use rt-check-user-right-on-ticket - check a right of a user on a ticket - metacpan.org to check how particular user gets a right to a ticket.

On Thu, Sep 19, 2013 at 3:08 PM, Aurelien Lafranchise aurelien.lafranchise@mobiquithings.com wrote:
Hello all,

I am facing a confidentiality problem on my RT instance.

My customers have access to RT to create ticket. In the interface they have a search field they can use to go to a ticket number. The problem is that they can put a ticket number and see the ticket even if it not one of their tickets.

I cannot find anywhere in the documentation or google any start of explanation on that.

Also all my customers are under the same group.

Thanks for your help
Regards.

AL


RT Training in New York, October 8th and 9th: Training — Best Practical Solutions


Best regards, Ruslan.