Read only guest access

(Jesse asked if I’d share this with everyone.)

For a new (relatively public) RT install I configured, I needed a way
to provide public read-only access. “Ok,” I thought, “I’ll just
create a guest account without write permissions.”

If only it was that easy.

I made a few attempts at simple tweaks, even a complicated alternative
interface with redirection for authenticated users, but nothing was
working just right. I was working against RT’s ACL system, trying to
go around it, and it was starting to be a major effort, full of half
starts and twisty packages. [3]

As Jesse said:

"The problem is that RT's ACL system doesn't support 
negating rights." [2]

Why was this a problem, you might ask? The answer, for those who
haven’t already guessed, is the need to create and append to tickets
via email. The email users are auto-created as unprivledged users.
This means they are only part of the Everyone psuedo group. Thus, I
must give the Everyone group write access. That means, since there is
no way to revoke it, that the guest account has write ability. You
lose. Go directly to jail. Do not pass go. Do not collect $200.

The answer, in the end, was amazingly simple. A six line patch, and
one line in the database. (Plus the appropriate ACL settings, of
course.)

— User.pm.2-0-7 Sat Sep 15 20:56:18 2001
+++ User.pm Sat Sep 15 21:29:25 2001
@@ -859,6 +859,12 @@
(PrincipalType = ‘Group’) AND
(Groups.Id = PrincipalId))");

  • if (!$self->Privileged()) {
  •   push (@MetaPrincipalsSubClauses,  "((Groups.Name = 'UnPrivileged') AND 
    
  •                                   (PrincipalType = 'Group') AND 
    
  •                                   (Groups.Id = PrincipalId))");
    
  • }
    if ($args{‘IsAdminCc’}) {
    push (@MetaPrincipalsSubClauses, "((Groups.Name = ‘AdminCc’) AND
    (PrincipalType = ‘Group’) AND

Groups:
| id | Name | Description | Pseudo |
| 9 | UnPrivileged | Psuedogroup | 1 |

Obviously the ‘9’ will change based on where in the Groups table this
ends up.

It’s very important that the name in the table be the same as the name
in the code.

The new UnPrivileged psuedo group represents all the users who are not
privledged. (Obvious, eh?) This group recieves only the write
permissions. (CreateTicket, etc.) The Everyone group recieves only
read permissions. (Or- even less - you could use another group for
that.)

Stir. Do not shake.

You now have a system where you can have a read only user.

Enjoy!

-R

Addendum:

[1] - Through this document I’ve simplified permissions to “read”
permissions and “write” permissions. It’s up to the reader to
figure out which are which.

[2] - The rest of that quote is: “It just made things too god-awful
complex. my kingdom for a decent ACL server.” This would be a
great contribution for anyone with spare time.

[3] - As a plus, I got a nice tour around the internals of RT. Very
easy to understand.