We have been removing all global permissions from the Privileged user
group on our RT install, to let some important customers have access to
their own support queue. In doing this, we seem to have stumbled on what
appears to be a bug with the ModifyTicket setting. The user is able to
search for email addresses through the “People” area of a ticket, and
return a list of every email address known to rt.
Users in the CustnameEmployees group have the following permissions for
their queue. The users are privileged, and I have spent most of the
morning ensuring the Privleged group does not have any global
Logging in as one of those users, I can see the queue, and open tickets,
and I can not edit any values for the ticket information, as expected.
However, when you click on the blue “People” bar at the top of a ticket,
you can search for email addresses, and have valid addresses returned. The
real danger comes when you search for people whose userid contains %. This
returns a list of every email address known to rt. Warning this
potentially puts a very big load on the server, and your browser. It seems
that a user without ModifyTicket should not be able to search for email
addresses, and nobody should be able to search for %. Has anyone else
noticed this behavior?
ps. thanks for RT, its been great for us. - we have managed to roll a number
of legacy tools into it, having one place for everything