I have an RT 4.0.8 server that uses External Authentication (CAS) and has multiple aliases. I run mailgate, but as a policy, all ticket creation/submissions by regular (unprivileged) users are done through the /SelfServe webpage. Someone has requested that I allow the use of “ticket templates” for certain types of ticket submissions, eg via a website or email hyperlink. For example, the link
http://server-alias1.example.com/Create.html?Queue=12&Subject=Computer Setup Request&Content=%0APrimary User%3A %0AIs this a Computer? (Mac or PC)%3A
creates a ticket template with the subject “Computer Setup Request” already filled in and with a short questionnaire in the body filled in, eg “Primary User”, “Is this a Computer? (Mac or PC):”, etc.
The default RT configuration gives a cross-site request forgery restriction warning. I understand that the RT config variables ReferrerWhitelist, RestrictLoginReferrer, RestrictReferrer handle cross-site request forgery restrictions.
However, I am confused and frustrated by the limitations/restrictions of each of the “Referrer” parameters as I would like to not have the forgery warning appear for our users (who are already signed in through CAS). For example, on my system,
if RestrictReferrer is false (ie Set($RestrictReferrer, ‘0’) - the link above works (ie no cross-site request forgery warning) for Priviliged users only, but will not work (cross-site request forgery message appears for users) for unprivileged users all of ours who have login access via SelfServe. It send unpriviliged users to SelfServe instead.
ReferrerWhitelist [(Set(@ReferrerWhitelist, qw(*.example.com:443 *.example.com:80));] and Set RestrictLoginReferrer=0 do not seem to work at all and all users, priviliged and unpriviliged and all users get the cross-site request forgery message.
IT & Instrumentation Consultant
Dept of Molecular Biology and Biochemistry
Simon Fraser University
“It takes ten years to become good at being a kid. Then another ten years
to become good at not being a kid” - Larry Wall.