Good morning,
we use rt since 3.something for our ticket system. Our customers are grouped and can’t “see” each other tickets. Works like charm for years.
During a data security audit a customer found out, that he can search for all users in user search, s he cannot see tickets of other users, but he can see at least the complete name an email.
We are forced by the data security guys to stop the user search.
And here my question: how ? I never found an option to limit who is able to search … I can modify source code but I’m in doubt the these changes will survive next update. Is there an “elegant” method to suppress user (and group) search ?
Many thanks in advance - Michael
If you make a local modification, don’t do it to the distributed source files but make a local copy (in, for example, the /opt/rt5/local/ directory hierarchy if your RT is installed in /opt/rt5). That way it will survive updates - the updates don’t touch anything there.
You could also use Callbacks rather than changing the code - the html/Search/*.html mention several that you could hook into. With Callbacks you can also modify the menus, so you could remove the search menu completely for group(s) you don’t want to have search facilities.
I don’t think there’s any built in ACL to stop a privileged user from doing searches (saving, loading and view other saved searches have ACLs, but not just searching).
Good morning,
many thanks for your answer ! I already modified the gotouser/gotogroup file, so that if you enter user search don’t can enter anything.
But - if you create a new ticket you can add all users in people section - if you just type “a” you automatically get an auto-completion with all names containing an “a”. So I assume this is more or less a back-end question, not just modify the search itself …
Cheers - Michael