Hi,
I am using RT 3.2 and just found out two annoying things
- people who have NO permissions for a queue can still read the
ticket when they get the URL
- tickets that do not have an owner get listed for every user of the
system on the main page
What can I do to prevent both things?
Greetings
Tim
Tim Pritlove, Discordian Evangelist, Chaos Computer Club
mailto:tim@ccc.de http://tim.geekheim.de/ <http://
www.blinkenlights.de/>
jabber:tim@jabber.ccc.de gizmo://timpritlove skype://timpritlove
Ein Lebenskünstler gedeiht am besten im Spannungsfeld zwischen Bohème
und Askese und ist als gelebtes Gesamtkunstwerk sinnstiftend für sich
selbst. – Wikipedia
smime.p7s (3.49 KB)
Hi Gilmar,
thanks for the response
Hi Tim,
- There is more than one permission involved. The “SeeQueue” and the
many “ShowTicket*”. When someone doesn’t have the “SeeQueue”
permission
it’s still possible to see ticket, exactly as you described.
Remove the ShowTicket and related from those users that don’t have the
SeeQueue.
- If all users can see all queues that’s true. Tickets in a queue you
can’t see are not shown in your main page…
I do my permission management by assigning people to groups and
assigning group permissions to queues. So this would mean that people
who do not belong to a queue should not have a single right on that
particular queue, right?
However, RT 3.2 does not seem to honor this as people that belong to
other groups that do not have a single right for that queue can still
see the ticket as long as it is not owned by a user.
The funny thing is that while it is visible for me being logged in as
a user with the right to see the queue, the ticket is marked as
belonging to that queue.
But somebody else with an account in that system without queue
permission sees the ticket listed in the “10 newest unowned
tickets…” section on the home page without mentioning which queue
it is assigned to (the queue field is just empty). If the privileged
user know “takes” the ticket, the ticket is no longer showing up in
this list, but the unprivileged user can still see the ticket.
So the “SeeQueue” privilege seems more like a “don’t show which queue
the ticket is in” than a “don’t show tickets that belong to a queue”.
How can I prevent this from happening?
Greetings
Tim
–
Gilmar Santos Jr
Tim Pritlove escreveu:
Hi,
I am using RT 3.2 and just found out two annoying things
- people who have NO permissions for a queue can still read the
ticket when they get the URL
- tickets that do not have an owner get listed for every user of the
system on the main page
What can I do to prevent both things?
Ein Lebenskünstler gedeiht am besten im Spannungsfeld zwischen Bohème
und Askese und ist als gelebtes Gesamtkunstwerk sinnstiftend für sich
selbst. – Wikipedia
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
We’re hiring! Come hack Perl for Best Practical: http://
Careers — Best Practical Solutions
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
We’re hiring! Come hack Perl for Best Practical: http://
Careers — Best Practical Solutions
Tim Pritlove, Discordian Evangelist, Chaos Computer Club
mailto:tim@ccc.de http://tim.geekheim.de/ <http://
www.blinkenlights.de/>
jabber:tim@jabber.ccc.de gizmo://timpritlove skype://timpritlove
“We have Ph.D.s here who know the stuff cold, and we don’t
believe it’s possible to protect digital content” – Steve Jobs
smime.p7s (3.49 KB)
I whipped something up because of similar problems on our install. It
may work for you. I removed the X Unowned tickets from
local/html/index.html and replaced it with this.
http://wiki.bestpractical.com/index.cgi?TicketsPerQueue
Tim Pritlove wrote:
Hi Gilmar,
thanks for the response
Hi Tim,
- There is more than one permission involved. The “SeeQueue” and the
many “ShowTicket*”. When someone doesn’t have the “SeeQueue” permission
it’s still possible to see ticket, exactly as you described.
Remove the ShowTicket and related from those users that don’t have the
SeeQueue.
- If all users can see all queues that’s true. Tickets in a queue you
can’t see are not shown in your main page…
I do my permission management by assigning people to groups and
assigning group permissions to queues. So this would mean that people
who do not belong to a queue should not have a single right on that
particular queue, right?
However, RT 3.2 does not seem to honor this as people that belong to
other groups that do not have a single right for that queue can still
see the ticket as long as it is not owned by a user.
The funny thing is that while it is visible for me being logged in as
a user with the right to see the queue, the ticket is marked as
belonging to that queue.
But somebody else with an account in that system without queue
permission sees the ticket listed in the “10 newest unowned
tickets…” section on the home page without mentioning which queue
it is assigned to (the queue field is just empty). If the privileged
user know “takes” the ticket, the ticket is no longer showing up in
this list, but the unprivileged user can still see the ticket.
So the “SeeQueue” privilege seems more like a “don’t show which queue
the ticket is in” than a “don’t show tickets that belong to a queue”.
How can I prevent this from happening?
Greetings
Tim
–
Gilmar Santos Jr
Tim Pritlove escreveu:
Hi,
I am using RT 3.2 and just found out two annoying things
- people who have NO permissions for a queue can still read the
ticket when they get the URL
- tickets that do not have an owner get listed for every user of the
system on the main page
What can I do to prevent both things?
Ein Lebenskünstler gedeiht am besten im Spannungsfeld zwischen Bohème
und Askese und ist als gelebtes Gesamtkunstwerk sinnstiftend für sich
selbst. – Wikipedia
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
We’re hiring! Come hack Perl for Best Practical:
Careers — Best Practical Solutions
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
We’re hiring! Come hack Perl for Best Practical:
Careers — Best Practical Solutions
“We have Ph.D.s here who know the stuff cold, and we don’t
believe it’s possible to protect digital content” – Steve Jobs
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
We’re hiring! Come hack Perl for Best Practical: Careers — Best Practical Solutions
Drew Barnes
Applications Analyst
Raymond Walters College
University of Cincinnati
Hi Gilmar,
thanks for the response
Hi Tim,
- There is more than one permission involved. The “SeeQueue” and the
many “ShowTicket*”. When someone doesn’t have the “SeeQueue”
permission
it’s still possible to see ticket, exactly as you described.
Remove the ShowTicket and related from those users that don’t have the
SeeQueue.
- If all users can see all queues that’s true. Tickets in a queue you
can’t see are not shown in your main page…
I do my permission management by assigning people to groups and
assigning group permissions to queues. So this would mean that people
who do not belong to a queue should not have a single right on that
particular queue, right?
It sounds like you have some global or pseudo-group permissions assigned.
Make sure that Everyone, Privledged and Unprivledged groups don’t have any
rights assigned. Consider using Todd’s RTx::RightsMatrix (
RTx-RightsMatrix-0.03.00 - RT RightsMatrix Extension - metacpan.org) to help you figure out
where the rights are being inherited from.
Michael
Michael S. Liebman m-liebman@northwestern.edu
http://msl521.freeshell.org/
“I have vision and the rest of the world wears bifocals.”
-Paul Newman in “Butch Cassidy & the Sundance Kid”