I just discovered a huge security hole in my RT implementation. I’m running v3.2.1 on Redhat with MySQL as a db. I have a couple of issues:
When a user logs into check their tickets (so the user is not an admin user), they are presented with NO open tickets (even though they have some open as a requestor) and in the CLOSED tickets view, they can see 6 tickets from another requestor that they should not be able to see at all!
As a regular user I can view ANY ticket by just inserting the ticket number in the URL. eg: http://tickets/SelfService/Display.html?id=515. This will show ticket #515. I tried this on a bunch of tickets and each time this limited access user could see EVERY ticket!!
These are two MAJOR issues for me as you can imagine and I’d like to know where to look to attempt to get this resolved. As a history, I recently built a new RT server and moved the DB over and recompiled RT. Not sure if this has anything to do with it, but I thought I’d throw it out there.