Possible permissions (ModifyTicket) bug in 3.4.5?

Hello,
We have been removing all global permissions from the Privileged user
group on our RT install, to let some important customers have access to
their own support queue. In doing this, we seem to have stumbled on what
appears to be a bug with the ModifyTicket setting. The user is able to
search for email addresses through the “People” area of a ticket, and
return a list of every email address known to rt.

Users in the CustnameEmployees group have the following permissions for
their queue. The users are privileged, and I have spent most of the
morning ensuring the Privleged group does not have any global
rights.
CreateTicket
ReplyToTicket
SeeQueue
ShowTicket
Watch

Logging in as one of those users, I can see the queue, and open tickets,
and I can not edit any values for the ticket information, as expected.
However, when you click on the blue “People” bar at the top of a ticket,
you can search for email addresses, and have valid addresses returned. The
real danger comes when you search for people whose userid contains %. This
returns a list of every email address known to rt. Warning this
potentially puts a very big load on the server, and your browser. It seems
that a user without ModifyTicket should not be able to search for email
addresses, and nobody should be able to search for %. Has anyone else
noticed this behavior?

Thanks,
Claude Schrader

ps. thanks for RT, its been great for us. - we have managed to roll a number
of legacy tools into it, having one place for everything

Claude M. Schrader 302-295-4707
Network Technician 215-701-6500 x4707
Consult Dynamics/DCANet 888-4DCANet (888-432-2638)
cschrader@dca.net http://www.dca.net

Hello,
We have been removing all global permissions from the Privileged user
group on our RT install, to let some important customers have access to
their own support queue. In doing this, we seem to have stumbled on what
appears to be a bug with the ModifyTicket setting. The user is able to
search for email addresses through the “People” area of a ticket, and
return a list of every email address known to rt.

I don’t think this is a bug, more like a feature. RT makes the
assumption that Privileged users are just that, privileged.

What it seems you’re attempting to do (setup mini-instances using
queues) is not how RT is designed to operate (to my understanding).
However, that being said, you should be able to add your own custom
Rights to handle your situation. There may even be somebody who has done
it already.

Joshua Colson jcolson@voidgate.org

Hello,
We have been removing all global permissions from the Privileged user
group on our RT install, to let some important customers have access to
their own support queue. In doing this, we seem to have stumbled on what
appears to be a bug with the ModifyTicket setting. The user is able to
search for email addresses through the “People” area of a ticket, and
return a list of every email address known to rt.

‘%’ in searches is really feature and works like wildcard.
I agree that if you couldn’t modify people then you shouldn’t be able
to get list of the users.

I don’t think this is a bug, more like a feature. RT makes the
assumption that Privileged users are just that, privileged.
I don’t agree with this. Privileged are people who can have some
privileges given to them directly or via groups membership.

What it seems you’re attempting to do (setup mini-instances using
queues) is not how RT is designed to operate (to my understanding).
However, that being said, you should be able to add your own custom
Rights to handle your situation. There may even be somebody who has done
it already.
And I don’t agree with this too. RT is not well designed for setups
with many queues (one queue per customer for example), but works good
with one ‘support’ queue for all support requests from customers.


Joshua Colson jcolson@voidgate.org


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

We’re hiring! Come hack Perl for Best Practical: http://bestpractical.com/about/jobs.html

Best regards, Ruslan.

I don’t think this is a bug, more like a feature. RT makes the
assumption that Privileged users are just that, privileged.

by that logic, everybody in the system should be a superuser. Just because
you have a login to my network, it doesnt mean that I shouldn’t be able to
limit your access

And I don’t agree with this too. RT is not well designed for setups
with many queues (one queue per customer for example), but works good
with one ‘support’ queue for all support requests from customers.

Yeah, we have a general support queue too, but this is a very big customer, so
its nice to have all their requests seperate.
Thanks,
Claude

Claude M. Schrader 302-295-4707
Network Technician 215-701-6500 x4707
Consult Dynamics/DCANet 888-4DCANet (888-432-2638)
cschrader@dca.net http://www.dca.net