Dangerous admin right for group to modify templates?

Hi folks,

I’ve got a new setup here: some group wanted here to periodically run some check against Idle tickets in their queue and bother by mail the responsible persons to solve it. They wanted also to be able to change from time to time the template used for that bothering mail.

Quite reasonable request so I’ve used the crontool to do the automatic check and periodically run Notify action with the template name. I needed the Told time in that template and the name of the creator of the Told transaction.

So far I don’t know how to easily get a Real Name of the creator of Transaction (or Attachment) as $Attachment->Creator() or $Transaction->Creator() gives only the ID number, so I’ve used the hard way like:

         my $users = RT::Users->new($RT::SystemUser);
         my $user = $users->Next;
         $user->Load($attachment->Creator());
         my $creator = $user->RealName;

And it worked.

I assume this as a security bug because if user have rights to modify template used by crontool, he can do everything with RT itself because he can use the $RT::SystemUser. Am I right? If so, beware to give users rights to modify templates used by crontool :slight_smile: I don’t know yet if that works with non-crontool run Templates, have to check it.
Petr