Goto ticket error (security problem)

Michael_Shanks · March 18, 2006, 2:00am

Hello I am configuring a new helpdesk using request tracker, I notice one
problem and I am wondering if you can help me with my configuration,

When a user logs into the self service page they are presented with their
open tickets, top right is also the goto ticket option, when the user types
in any ticket ID the ticket is shown to them even if they are not the
original submitter,

These users are default users created automatically when they submit a
ticket and in groups “everyone” and privileged”

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.2.4/283 - Release Date: 16/03/2006

Jesse_Vincent · March 18, 2006, 3:22am

Hello I am configuring a new helpdesk using request tracker, I notice one
problem and I am wondering if you can help me with my configuration,

When a user logs into the self service page they are presented with their
open tickets, top right is also the goto ticket option, when the user types
in any ticket ID the ticket is shown to them even if they are not the
original submitter,

You’ve granted “Everyone” the right to “ShowTicket”

Michael_Shanks · March 18, 2006, 8:35am

Hello

If I remove this right it corrects the problem, however my user now cannot
see his open or closed tickets alsoFrom: Jesse Vincent [mailto:jesse@bestpractical.com]
Sent: 18 March 2006 03:23
To: Michael Shanks
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] goto ticket error (security problem)

Hello I am configuring a new helpdesk using request tracker, I notice one
problem and I am wondering if you can help me with my configuration,

When a user logs into the self service page they are presented with their
open tickets, top right is also the goto ticket option, when the user
types
in any ticket ID the ticket is shown to them even if they are not the
original submitter,

You’ve granted “Everyone” the right to “ShowTicket”

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.2.4/283 - Release Date: 16/03/2006

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.2.4/283 - Release Date: 16/03/2006

Michael_Shanks · March 18, 2006, 9:56pm

Could you give me a bit of a pointer where to look online, I’ve got
the book but its at my office and I’m not in their until Monday, I’ve
had a look through the wiki but can’t find anything specific enough
for my needs-----Original Message-----
From: Jesse Vincent [mailto:jesse@bestpractical.com]
Sent: 18 March 2006 14:57
To: Michael Shanks
Subject: Re: [rt-users] goto ticket error (security problem)

On Sat, Mar 18, 2006 at 08:35:11AM -0000, Michael Shanks wrote:

Hello

If I remove this right it corrects the problem, however my user now cannot
see his open or closed tickets also

You might want to read up on the correct rights to grant on the wiki or
in RT Essentials.
Jesse

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.2.4/283 - Release Date: 16/03/2006

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.2.4/283 - Release Date: 16/03/2006

Jesse_Vincent · March 19, 2006, 12:07am

Could you give me a bit of a pointer where to look online, I’ve got
the book but its at my office and I’m not in their until Monday, I’ve
had a look through the wiki but can’t find anything specific enough
for my needs

You likely want to look at granting the ShowTicket right to the
Requestor role.

Kenn_Crocker · March 20, 2006, 5:13pm

Michael,

Try giving the role "Requestor" the following rights; see queue, see

ticket, see outgoing e_mail, reply to ticket and watch. That way they
can find their tickets in the queue and interact about thos tickets only
as the “requestor”.

Kenn

Michael Shanks wrote:

Michael_Shanks · March 20, 2006, 5:17pm

Cheers guys, sorted this one out now, got my head around it from the advise
jesse gave :-)-----Original Message-----
From: Ken Crocker [mailto:KFCrocker@lbl.gov]
Sent: Monday, March 20, 2006 5:14 PM
To: Michael Shanks
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] goto ticket error (security problem)

Michael,

Try giving the role "Requestor" the following rights; see queue, see

ticket, see outgoing e_mail, reply to ticket and watch. That way they can
find their tickets in the queue and interact about thos tickets only as the
“requestor”.

Kenn

Michael Shanks wrote:

Hello

If I remove this right it corrects the problem, however my user now cannot
see his open or closed tickets also

-----Original Message-----
From: Jesse Vincent [mailto:jesse@bestpractical.com]
Sent: 18 March 2006 03:23
To: Michael Shanks
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] goto ticket error (security problem)

On Sat, Mar 18, 2006 at 02:00:26AM -0000, Michael Shanks wrote:

Hello I am configuring a new helpdesk using request tracker, I notice one
problem and I am wondering if you can help me with my configuration,

When a user logs into the self service page they are presented with their
open tickets, top right is also the goto ticket option, when the user

types

in any ticket ID the ticket is shown to them even if they are not the
original submitter,

You’ve granted “Everyone” the right to “ShowTicket”