Other queues showing up in "RT at a Glance"

OK, so one of my co-workers just noticed that people are seeing tickets from
queues they don’t have access too being listed in the “10 newest unowned
tickets…” window. But here’s the kinda weird bit: there is nothing under
the “Queue” column for the tickets in the queues these people don’t have
access to. When I look (I have access to see all queues) I see all the queue
names. So, to recap, Everyone sees all the tickets listed in that window.
If you have access to a queue, you see its name listed, otherwise just blank
space. This is very dangerous, because anyone can click on any of those
links to view the contents of those tickets,a nd they an even TAKE the
ticket.

This whole bit only recently came to happen (right after we upgraded from
3.0.1 to 3.4.2). Any ideas as to how this happened?

Thanks.
–Alex

Alex Brelsfoard
Web Applications Developer
Web Development Office
Worcester Polytechnic Institute
508-831-6147
alexb@wpi.edu

Brelsfoard, Alex wrote:

OK, so one of my co-workers just noticed that people are seeing
tickets from queues they don’t have access too being listed in the “10
newest unowned tickets…” window. But here’s the kinda weird bit:
there is nothing under the “Queue” column for the tickets in the
queues these people don’t have access to. When I look (I have access
to see all queues) I see all the queue names. So, to recap, Everyone
sees all the tickets listed in that window. If you have access to a
queue, you see its name listed, otherwise just blank space. This is
very dangerous, because anyone can click on any of those links to view
the contents of those tickets,a nd they an even TAKE the ticket.

Sounds like you have global See Ticket/Own Ticket/Take
Ticket/Do-Something-To Ticket rights set, rather than per-queue.

DB

3.4.2 is a beta version (I think) . 3.4.1 is the newest current
release(I think - again). If so then this post probably belongs on
the devel list.

Stephen HancockOn Mon, 28 Mar 2005 11:49:42 -0500, Brelsfoard, Alex alexb@wpi.edu wrote:

OK, so one of my co-workers just noticed that people are seeing tickets from
queues they don’t have access too being listed in the “10 newest unowned
tickets…” window. But here’s the kinda weird bit: there is nothing under
the “Queue” column for the tickets in the queues these people don’t have
access to. When I look (I have access to see all queues) I see all the
queue names. So, to recap, Everyone sees all the tickets listed in that
window. If you have access to a queue, you see its name listed, otherwise
just blank space. This is very dangerous, because anyone can click on any
of those links to view the contents of those tickets,a nd they an even TAKE
the ticket.

This whole bit only recently came to happen (right after we upgraded from
3.0.1 to 3.4.2). Any ideas as to how this happened?

Thanks.
–Alex

Alex Brelsfoard
Web Applications Developer
Web Development Office
Worcester Polytechnic Institute
508-831-6147
alexb@wpi.edu


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

RT Administrator and Developer training is coming to your town soon!
(Boston, San Francisco, Austin, Sydney) Contact training@bestpractical.com
for details.

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

OK, so one of my co-workers just noticed that people are seeing
tickets from queues they don’t have access too being listed in the “10
newest unowned tickets…” window. But here’s the kinda weird bit:
there is nothing under the “Queue” column for the tickets in the
queues these people don’t have access to. When I look (I have access
to see all queues) I see all the queue names. So, to recap, Everyone
sees all the tickets listed in that window. If you have access to a
queue, you see its name listed, otherwise just blank space. This is
very dangerous, because anyone can click on any of those links to view
the contents of those tickets,a nd they an even TAKE the ticket.

I have the same “problem”, but I think I know why.

On my queue(s) I have permissions for “CommentOnTicket”, “CreateTicket”,
“ReplyToTicket”, and “ShowTicket” assigned to Everyone. This was to
allow tickets to be created and commented/replied to using email. And I
think so that people could use the web interface to view their own
tickets.

I suspect you have something similar…

A fix? I’m not sure - remove the ShowTicket right and give it to the
Requestor instead?

Cheers,
Tim.

Tim Bishop
http://www.bishnet.net/tim/
PGP Key: 0x5AE7D984

Yeah, this is exactly what is going on with our setup. We have an email
alias setup to be able to create tickets. But for this to be working what
exactly needs to be? I have taken away ALL rights from “Everyone” and have
Watch and CreateTicket set for “Requestor”. Emails are still able to create
tickets, but low-level users are also still seeing tickets they shouldn’t be.

CORRECTION: I am using version 3.4.1, NOT 3.4.2, sorry.

I am going to keep playing with the group rights, but I don’t see how any
other playing is going to change anything (at least not the way I want it to
be change).
If anyone has any ideas, I greatly welcome them…
Thanks again.
–Alex

Alex Brelsfoard
Web Applications Developer
Web Development Office
Worcester Polytechnic Institute
508-831-6147
alexb@wpi.edu-----Original Message-----
From: Tim Bishop [mailto:tim-lists@bishnet.net]
Sent: Monday, March 28, 2005 12:39 PM
To: Brelsfoard, Alex
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Other queues showing up in “RT at a Glance”

On Mon, 2005-03-28 at 11:49 -0500, Brelsfoard, Alex wrote:

OK, so one of my co-workers just noticed that people are seeing
tickets from queues they don’t have access too being listed in the “10
newest unowned tickets…” window. But here’s the kinda weird bit:
there is nothing under the “Queue” column for the tickets in the
queues these people don’t have access to. When I look (I have access
to see all queues) I see all the queue names. So, to recap, Everyone
sees all the tickets listed in that window. If you have access to a
queue, you see its name listed, otherwise just blank space. This is
very dangerous, because anyone can click on any of those links to view
the contents of those tickets,a nd they an even TAKE the ticket.

I have the same “problem”, but I think I know why.

On my queue(s) I have permissions for “CommentOnTicket”, “CreateTicket”,
“ReplyToTicket”, and “ShowTicket” assigned to Everyone. This was to allow
tickets to be created and commented/replied to using email. And I think so
that people could use the web interface to view their own tickets.

I suspect you have something similar…

A fix? I’m not sure - remove the ShowTicket right and give it to the
Requestor instead?

Cheers,
Tim.

Tim Bishop
http://www.bishnet.net/tim/
PGP Key: 0x5AE7D984

Brelsfoard, Alex wrote:

Yeah, this is exactly what is going on with our setup. We have an email
alias setup to be able to create tickets. But for this to be working what
exactly needs to be? I have taken away ALL rights from “Everyone” and have
Watch and CreateTicket set for “Requestor”. Emails are still able to create
tickets, but low-level users are also still seeing tickets they shouldn’t be.

This is why we do not use any global rights (beyond ModifySelf), instead
setting rights on each queue. For our netpos queue we have:
Everyone: CreateTicket, ReplyToTicket
Requestor: SeeTicket
Network group: Modify, Own, SeeQueue, Show, Show Comments, Watch, Watch
as CC

We also do some customization in the User Rights section, but always in
the Queue rights and never globally.

DB

Yeah, I’ve finally gotten it working. I removed nearly ALL global rights.
There were just a few I kept to keep things going.
I guess the global rights got reset after the upgrade.
Thanks to all for the help.
–Alex

Alex Brelsfoard
Web Applications Developer
Web Development Office
Worcester Polytechnic Institute
508-831-6147
alexb@wpi.eduFrom: Drew Barnes [mailto:barnesaw@ucrwcu.rwc.uc.edu]
Sent: Monday, March 28, 2005 2:55 PM
To: Brelsfoard, Alex
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Other queues showing up in “RT at a Glance”

Brelsfoard, Alex wrote:

Yeah, this is exactly what is going on with our setup. We have an
email alias setup to be able to create tickets. But for this to be
working what exactly needs to be? I have taken away ALL rights from
"Everyone" and have Watch and CreateTicket set for “Requestor”. Emails
are still able to create tickets, but low-level users are also still seeing
tickets they shouldn’t be.

This is why we do not use any global rights (beyond ModifySelf), instead
setting rights on each queue. For our netpos queue we have:
Everyone: CreateTicket, ReplyToTicket
Requestor: SeeTicket
Network group: Modify, Own, SeeQueue, Show, Show Comments, Watch, Watch as CC

We also do some customization in the User Rights section, but always in the
Queue rights and never globally.

DB

CORRECTION: I am using version 3.4.1, NOT 3.4.2, sorry.

I am going to keep playing with the group rights, but I don’t see how
any other playing is going to change anything (at least not the way I
want it to be change).
If anyone has any ideas, I greatly welcome them…
Thanks again.
–Alex

Alex Brelsfoard
Web Applications Developer
Web Development Office
Worcester Polytechnic Institute
508-831-6147
alexb@wpi.edu

Yeah, I’ve finally gotten it working. I removed nearly ALL global rights.
There were just a few I kept to keep things going.
I guess the global rights got reset after the upgrade.
Thanks to all for the help.

The Wiki is your friend.

http://wiki.bestpractical.com/index.cgi?PrivilegedUsers
http://wiki.bestpractical.com/index.cgi?Rights

Russell Mosemann, Ph.D. * Computing Services * Concordia University, Nebraska
"Such a process is cognitively effortful." - Rachel K. E. Bellamy