I manage an RT 4.2.11 deployment using Debian Wheezy, Apache 2.2, mod_fcgid
Today we had a very concerning issue regarding a notification being sent to
a requestor even when it had been explicitly unchecked in the recipients
list. At first I didn’t believe the user, but then I found this in the log:
Jun 22 11:29:08RT:[user.info<14>] 
firstname.lastname@example.org is blacklisted by notification checkboxes for
this transaction. Skipping
Jun 22 11:29:55RT:[user.info<14>]  email@example.com #4519/69938 - Scrip 59 On Correspond from web Notify Requestor and Ccs
Jun 22 11:29:56RT:[user.info<14>]  firstname.lastname@example.org sent To: email@example.com
You can see that the requestor address was unchecked, but he was notified
anyway. The notificatoin script uses a custom condition to just send the
notification when using the web interface, with the possibility of
squelching recipients manually. The default behaviour (implicit
notification to all requestors even for correspondence by mail) was
confusing for my team mates.
The only odd thing I can see in the log is that the “Blacklisted” and the
"sent to …" entries are written by two different perl processes (PID 6157
and 6145 respectively). That didn’t happen when I tried to reproduce the
issue (with no success).
Does anyone know if that’s normal in mod_fcgid? Could it be the cause of
It’s a big problem for us if we cannot fully trust the platform to not
spread confidential information to unintended recipients.
Thank you in advance,