Limiting what tickets requestors can see

RT Users
1

Hi,

A couple of questions.

First of all, we’re looking to see if it’s possible for customers (ie,
people external to our environment) who send in tickets can log into RT
and see their tickets from the web interface. I see that this is
possible from setting the ShowTicket privilege, but the problem here is
that they can just type in any ticket number, and as long as they have
that permission for that queue, they can see any ticket in that queue.
Is there any permission that should be set that will restrict that
requestor to only see tickets that they have requested?

Secondly, I know that right now there is no CLI (rt or rtadmin scripts)
for RT3.0. Is there any estimate on when there might be? We’re on 2.0.15
at the moment and cannot move to 3.0 yet as we have reporting
dependencies on the command line utilities.

Regards,
Jeremy Doran fox-rt_users@vulpes.net

2

Jeremy Doran wrote:

Is there any permission that should be set that will restrict that
requestor to only see tickets that they have requested?

SeeTicket, granted to Requestor, not Everyone.
�|� Request Tracker... So much more than a help desk — Best Practical Solutions – Trouble Ticketing. Free.

3

I wanted to follow up on this, as this is rapidly becoming a ‘make or
break’ issue to whether we keep RT here.

I got one reply back privately with a suggestion, but so far, that
hasn’t seemed to work.

Right now, I’m experimenting to see if I can do this with RT3, but so
far, I’ve not been able to restrict it so that ‘Requestor 1’ can only
see tickets that they have submitted, and not see tickets from
‘Requestor 2’

I’ve limited the groups down as follows thus far:

Global group Everyone:
CreateTicket
ModifySelf

Queue group Requestor:
ShowTicket
ReplyToTicket

If I log in as ‘Requestor 1’ who submitted ticket (for example’s sake)
3101, I see that ticket in the listing of tickets that user requested.
All well and good. However, if I enter ticket 3095 (submitted by
‘Requestor 2’ from another company) in the ‘Goto Ticket’ box, or edit
the URL so that id=3095 is passed to Display.html, then ‘Requestor 1’ is
able to see 'Requestor 2’s ticket, as well as any proprietary and
confidential information that might be in that ticket. This is what we
absolutely must be able to prevent if we are to continue with RT at our
company.

‘Requestor 1’ must not be able to see tickets that they did not
request.

Is this possible? If not, what would need to be done to make it so in
the code?

Thanks,On Thu, 2003-03-27 at 10:40, Jeremy Doran wrote:

First of all, we’re looking to see if it’s possible for customers (ie,
people external to our environment) who send in tickets can log into RT
and see their tickets from the web interface. I see that this is
possible from setting the ShowTicket privilege, but the problem here is
that they can just type in any ticket number, and as long as they have
that permission for that queue, they can see any ticket in that queue.
Is there any permission that should be set that will restrict that
requestor to only see tickets that they have requested?

Jeremy Doran fox-rt_users@vulpes.net

4

Is requestor 1 an honest to god unprivileged user? Someone reported this
issue about six months ago and it turned out that they had either
granted extra global/queue rights or they were using a user that had
extra rights individually.

-jOn Fri, Apr 11, 2003 at 09:46:01AM -0700, Jeremy Doran wrote:

I wanted to follow up on this, as this is rapidly becoming a ‘make or
break’ issue to whether we keep RT here.

I got one reply back privately with a suggestion, but so far, that
hasn’t seemed to work.

Right now, I’m experimenting to see if I can do this with RT3, but so
far, I’ve not been able to restrict it so that ‘Requestor 1’ can only
see tickets that they have submitted, and not see tickets from
‘Requestor 2’

I’ve limited the groups down as follows thus far:

Global group Everyone:
CreateTicket
ModifySelf

Queue group Requestor:
ShowTicket
ReplyToTicket

If I log in as ‘Requestor 1’ who submitted ticket (for example’s sake)
3101, I see that ticket in the listing of tickets that user requested.
All well and good. However, if I enter ticket 3095 (submitted by
‘Requestor 2’ from another company) in the ‘Goto Ticket’ box, or edit
the URL so that id=3095 is passed to Display.html, then ‘Requestor 1’ is
able to see 'Requestor 2’s ticket, as well as any proprietary and
confidential information that might be in that ticket. This is what we
absolutely must be able to prevent if we are to continue with RT at our
company.

‘Requestor 1’ must not be able to see tickets that they did not
request.

Is this possible? If not, what would need to be done to make it so in
the code?

Thanks,

On Thu, 2003-03-27 at 10:40, Jeremy Doran wrote:

First of all, we’re looking to see if it’s possible for customers (ie,
people external to our environment) who send in tickets can log into RT
and see their tickets from the web interface. I see that this is
possible from setting the ShowTicket privilege, but the problem here is
that they can just type in any ticket number, and as long as they have
that permission for that queue, they can see any ticket in that queue.
Is there any permission that should be set that will restrict that
requestor to only see tickets that they have requested?


Jeremy Doran fox-rt_users@vulpes.net

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

Request Tracker... So much more than a help desk — Best Practical Solutions – Trouble Ticketing. Free.

5

Jeremy;

( I take it that your requesters are non-privileged users ??)
The way I managed to avoid my non-privileged users seeing tickets other than there’s:
1- The are not queue members
2- Unprivileged+Everyone groups have no rights
3- Requestors have ShowTicket + ReplytoTicket right only
4- As an extra caution I removed the GoToticket button from the SelfService view…

Roy----- Original Message -----
From: “Jeremy Doran” fox-rt_users@vulpes.net
To: rt-users@lists.fsck.com
Sent: Friday, April 11, 2003 5:46 PM
Subject: [rt-users] Limiting requestors to only see tickets they requested

I wanted to follow up on this, as this is rapidly becoming a ‘make or
break’ issue to whether we keep RT here.

I got one reply back privately with a suggestion, but so far, that
hasn’t seemed to work.

Right now, I’m experimenting to see if I can do this with RT3, but so
far, I’ve not been able to restrict it so that ‘Requestor 1’ can only
see tickets that they have submitted, and not see tickets from
‘Requestor 2’

I’ve limited the groups down as follows thus far:

Global group Everyone:
CreateTicket
ModifySelf

Queue group Requestor:
ShowTicket
ReplyToTicket

If I log in as ‘Requestor 1’ who submitted ticket (for example’s sake)
3101, I see that ticket in the listing of tickets that user requested.
All well and good. However, if I enter ticket 3095 (submitted by
‘Requestor 2’ from another company) in the ‘Goto Ticket’ box, or edit
the URL so that id=3095 is passed to Display.html, then ‘Requestor 1’ is
able to see 'Requestor 2’s ticket, as well as any proprietary and
confidential information that might be in that ticket. This is what we
absolutely must be able to prevent if we are to continue with RT at our
company.

‘Requestor 1’ must not be able to see tickets that they did not
request.

Is this possible? If not, what would need to be done to make it so in
the code?

Thanks,

On Thu, 2003-03-27 at 10:40, Jeremy Doran wrote:

First of all, we’re looking to see if it’s possible for customers (ie,
people external to our environment) who send in tickets can log into RT
and see their tickets from the web interface. I see that this is
possible from setting the ShowTicket privilege, but the problem here is
that they can just type in any ticket number, and as long as they have
that permission for that queue, they can see any ticket in that queue.
Is there any permission that should be set that will restrict that
requestor to only see tickets that they have requested?


Jeremy Doran fox-rt_users@vulpes.net

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

6

Is requestor 1 an honest to god unprivileged user? Someone reported this
issue about six months ago and it turned out that they had either
granted extra global/queue rights or they were using a user that had
extra rights individually.

I’ve just double checked the user in the configuration, and I have ‘Let
this user access RT’ checked, but ‘Let this user be granted rights’ is
unchecked.

I doubled checked the global and queue rights too, and they are what I
stated. (Just making sure :slight_smile:

-j

I wanted to follow up on this, as this is rapidly becoming a ‘make or
break’ issue to whether we keep RT here.

I got one reply back privately with a suggestion, but so far, that
hasn’t seemed to work.

Right now, I’m experimenting to see if I can do this with RT3, but so
far, I’ve not been able to restrict it so that ‘Requestor 1’ can only
see tickets that they have submitted, and not see tickets from
‘Requestor 2’

I’ve limited the groups down as follows thus far:

Global group Everyone:
CreateTicket
ModifySelf

Queue group Requestor:
ShowTicket
ReplyToTicket

If I log in as ‘Requestor 1’ who submitted ticket (for example’s sake)
3101, I see that ticket in the listing of tickets that user requested.
All well and good. However, if I enter ticket 3095 (submitted by
‘Requestor 2’ from another company) in the ‘Goto Ticket’ box, or edit
the URL so that id=3095 is passed to Display.html, then ‘Requestor 1’ is
able to see 'Requestor 2’s ticket, as well as any proprietary and
confidential information that might be in that ticket. This is what we
absolutely must be able to prevent if we are to continue with RT at our
company.

‘Requestor 1’ must not be able to see tickets that they did not
request.

Is this possible? If not, what would need to be done to make it so in
the code?

Thanks,

First of all, we’re looking to see if it’s possible for customers (ie,
people external to our environment) who send in tickets can log into RT
and see their tickets from the web interface. I see that this is
possible from setting the ShowTicket privilege, but the problem here is
that they can just type in any ticket number, and as long as they have
that permission for that queue, they can see any ticket in that queue.
Is there any permission that should be set that will restrict that
requestor to only see tickets that they have requested?


Jeremy Doran fox-rt_users@vulpes.net

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
Jeremy Doran fox-rt_users@vulpes.net

7

Is requestor 1 an honest to god unprivileged user? Someone reported this
issue about six months ago and it turned out that they had either
granted extra global/queue rights or they were using a user that had
extra rights individually.

I’ve just double checked the user in the configuration, and I have ‘Let
this user access RT’ checked, but ‘Let this user be granted rights’ is
unchecked.

I doubled checked the global and queue rights too, and they are what I
stated. (Just making sure :slight_smile:

And I wasn’t sure enough. I didn’t notice the ‘Unprivileged’ group in
RT3 had somehow gotten itself set to ‘ShowTickets’.

My bad. It looks like it’s working now.

Jeremy Doran fox-rt_users@vulpes.net