How can I prevent users from reading other queue's tickets?

Hi,

I am using RT 3.2 and just found out two annoying things

  1. people who have NO permissions for a queue can still read the
    ticket when they get the URL
  2. tickets that do not have an owner get listed for every user of the
    system on the main page

What can I do to prevent both things?

Greetings
Tim
Tim Pritlove, Discordian Evangelist, Chaos Computer Club
mailto:tim@ccc.de http://tim.geekheim.de/ <http://
www.blinkenlights.de/>
jabber:tim@jabber.ccc.de gizmo://timpritlove skype://timpritlove
Ein Lebenskünstler gedeiht am besten im Spannungsfeld zwischen Bohème
und Askese und ist als gelebtes Gesamtkunstwerk sinnstiftend für sich
selbst. – Wikipedia

smime.p7s (3.49 KB)

Hi Tim,

  1. There is more than one permission involved. The “SeeQueue” and the
    many “ShowTicket*”. When someone doesn’t have the “SeeQueue” permission
    it’s still possible to see ticket, exactly as you described.
    Remove the ShowTicket and related from those users that don’t have the
    SeeQueue.

  2. If all users can see all queues that’s true. Tickets in a queue you
    can’t see are not shown in your main page…

Gilmar Santos Jr

Tim Pritlove escreveu:

Hi Gilmar,

thanks for the response

Hi Tim,

  1. There is more than one permission involved. The “SeeQueue” and the
    many “ShowTicket*”. When someone doesn’t have the "SeeQueue"
    permission
    it’s still possible to see ticket, exactly as you described.
    Remove the ShowTicket and related from those users that don’t have the
    SeeQueue.
  1. If all users can see all queues that’s true. Tickets in a queue you
    can’t see are not shown in your main page…

I do my permission management by assigning people to groups and
assigning group permissions to queues. So this would mean that people
who do not belong to a queue should not have a single right on that
particular queue, right?

However, RT 3.2 does not seem to honor this as people that belong to
other groups that do not have a single right for that queue can still
see the ticket as long as it is not owned by a user.

The funny thing is that while it is visible for me being logged in as
a user with the right to see the queue, the ticket is marked as
belonging to that queue.

But somebody else with an account in that system without queue
permission sees the ticket listed in the “10 newest unowned
tickets…” section on the home page without mentioning which queue
it is assigned to (the queue field is just empty). If the privileged
user know “takes” the ticket, the ticket is no longer showing up in
this list, but the unprivileged user can still see the ticket.

So the “SeeQueue” privilege seems more like a “don’t show which queue
the ticket is in” than a “don’t show tickets that belong to a queue”.

How can I prevent this from happening?

Greetings
Tim


Gilmar Santos Jr

Tim Pritlove escreveu:

Hi,

I am using RT 3.2 and just found out two annoying things

  1. people who have NO permissions for a queue can still read the
    ticket when they get the URL
  2. tickets that do not have an owner get listed for every user of the
    system on the main page

What can I do to prevent both things?

Greetings
Tim
–Tim Pritlove, Discordian Evangelist, Chaos Computer Club
mailto:tim@ccc.de http://tim.geekheim.de/
http://www.blinkenlights.de/
jabber:tim@jabber.ccc.de gizmo://timpritlove <skype://
timpritlove>

Ein Lebenskünstler gedeiht am besten im Spannungsfeld zwischen Bohème
und Askese und ist als gelebtes Gesamtkunstwerk sinnstiftend für sich
selbst. – Wikipedia




http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

We’re hiring! Come hack Perl for Best Practical: http://
bestpractical.com/about/jobs.html


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

We’re hiring! Come hack Perl for Best Practical: http://
bestpractical.com/about/jobs.html

Tim Pritlove, Discordian Evangelist, Chaos Computer Club
mailto:tim@ccc.de http://tim.geekheim.de/ <http://
www.blinkenlights.de/>
jabber:tim@jabber.ccc.de gizmo://timpritlove skype://timpritlove
"We have Ph.D.s here who know the stuff cold, and we don’t
believe it’s possible to protect digital content" – Steve Jobs

smime.p7s (3.49 KB)

I whipped something up because of similar problems on our install. It
may work for you. I removed the X Unowned tickets from
local/html/index.html and replaced it with this.

http://wiki.bestpractical.com/index.cgi?TicketsPerQueue

Tim Pritlove wrote:

Hi Gilmar,

thanks for the response

Hi Tim,

  1. There is more than one permission involved. The “SeeQueue” and the
    many “ShowTicket*”. When someone doesn’t have the “SeeQueue” permission
    it’s still possible to see ticket, exactly as you described.
    Remove the ShowTicket and related from those users that don’t have the
    SeeQueue.
  1. If all users can see all queues that’s true. Tickets in a queue you
    can’t see are not shown in your main page…

I do my permission management by assigning people to groups and
assigning group permissions to queues. So this would mean that people
who do not belong to a queue should not have a single right on that
particular queue, right?

However, RT 3.2 does not seem to honor this as people that belong to
other groups that do not have a single right for that queue can still
see the ticket as long as it is not owned by a user.

The funny thing is that while it is visible for me being logged in as
a user with the right to see the queue, the ticket is marked as
belonging to that queue.

But somebody else with an account in that system without queue
permission sees the ticket listed in the “10 newest unowned
tickets…” section on the home page without mentioning which queue
it is assigned to (the queue field is just empty). If the privileged
user know “takes” the ticket, the ticket is no longer showing up in
this list, but the unprivileged user can still see the ticket.

So the “SeeQueue” privilege seems more like a “don’t show which queue
the ticket is in” than a “don’t show tickets that belong to a queue”.

How can I prevent this from happening?

Greetings
Tim


Gilmar Santos Jr

Tim Pritlove escreveu:

Hi,

I am using RT 3.2 and just found out two annoying things

  1. people who have NO permissions for a queue can still read the
    ticket when they get the URL
  2. tickets that do not have an owner get listed for every user of the
    system on the main page

What can I do to prevent both things?

Greetings
Tim
–Tim Pritlove, Discordian Evangelist, Chaos Computer Club
mailto:tim@ccc.de http://tim.geekheim.de/
http://www.blinkenlights.de/
jabber:tim@jabber.ccc.de gizmo://timpritlove skype://timpritlove

Ein Lebenskünstler gedeiht am besten im Spannungsfeld zwischen Bohème
und Askese und ist als gelebtes Gesamtkunstwerk sinnstiftend für sich
selbst. – Wikipedia



http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

We’re hiring! Come hack Perl for Best Practical:
http://bestpractical.com/about/jobs.html


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

We’re hiring! Come hack Perl for Best Practical:
http://bestpractical.com/about/jobs.html

–Tim Pritlove, Discordian Evangelist, Chaos Computer Club
mailto:tim@ccc.de http://tim.geekheim.de/
http://www.blinkenlights.de/
jabber:tim@jabber.ccc.de gizmo://timpritlove skype://timpritlove

“We have Ph.D.s here who know the stuff cold, and we don’t
believe it’s possible to protect digital content” – Steve Jobs



http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

We’re hiring! Come hack Perl for Best Practical: http://bestpractical.com/about/jobs.html

Drew Barnes
Applications Analyst
Raymond Walters College
University of Cincinnati

Hi Gilmar,

thanks for the response

Hi Tim,

  1. There is more than one permission involved. The “SeeQueue” and the
    many “ShowTicket*”. When someone doesn’t have the "SeeQueue"
    permission
    it’s still possible to see ticket, exactly as you described.
    Remove the ShowTicket and related from those users that don’t have the
    SeeQueue.
  1. If all users can see all queues that’s true. Tickets in a queue you
    can’t see are not shown in your main page…

I do my permission management by assigning people to groups and
assigning group permissions to queues. So this would mean that people
who do not belong to a queue should not have a single right on that
particular queue, right?

It sounds like you have some global or pseudo-group permissions assigned.
Make sure that Everyone, Privledged and Unprivledged groups don’t have any
rights assigned. Consider using Todd’s RTx::RightsMatrix (
http://search.cpan.org/~HTCHAPMAN/RTx-RightsMatrix/) to help you figure out
where the rights are being inherited from.

Michael
Michael S. Liebman m-liebman@northwestern.edu
http://msl521.freeshell.org/
“I have vision and the rest of the world wears bifocals.”
-Paul Newman in “Butch Cassidy & the Sundance Kid”