RT (4.0.18) search engine is leaking informations about unallowed tickets

benoit_plessis · December 13, 2013, 3:06pm

Hi,

I’m experiencing something weird with the latest 4.0.xx release, when some
low privileges users search for tickets RT give away of unwanted
informations.

Example: the default dashboard search for unowned tickets display “70
tickets found” in the title part, include a two-pages navigation, but only
display 1 ticket, the only one the user is allowed to see.

This also break the dashboard view, since the first ten tickets aren’t
accessible the view is empty.

I’m not sure if it’s a recent change or not since up to now all of our
users had at least readonly access to all of the queues/tickets.

Is it a known problem ?

Regards,
benoit

Kevin_Falcone · December 13, 2013, 3:50pm

I’m experiencing something weird with the latest 4.0.xx release, when some low privileges
users search for tickets RT give away of unwanted informations.

Example: the default dashboard search for unowned tickets display “70 tickets found” in the
title part, include a two-pages navigation, but only display 1 ticket, the only one the user
is allowed to see.

This also break the dashboard view, since the first ten tickets aren’t accessible the view is
empty.
I’m not sure if it’s a recent change or not since up to now all of our users had at least
readonly access to all of the queues/tickets.

http://bestpractical.com/docs/rt/latest/RT_Config.html#UseSQLForACLChecks

Off on 4.0, on on 4.2. You sound like you want to turn it on.

-kevin

benoit_plessis · December 15, 2013, 2:11pm

Oh yes thanks.2013/12/13 Kevin Falcone falcone@bestpractical.com

On Fri, Dec 13, 2013 at 04:06:20PM +0100, benoit plessis wrote:

I’m experiencing something weird with the latest 4.0.xx release, when
some low privileges
users search for tickets RT give away of unwanted informations.

Example: the default dashboard search for unowned tickets display “70
tickets found” in the
title part, include a two-pages navigation, but only display 1
ticket, the only one the user
is allowed to see.

This also break the dashboard view, since the first ten tickets
aren’t accessible the view is
empty.
I’m not sure if it’s a recent change or not since up to now all of
our users had at least
readonly access to all of the queues/tickets.

RT Config - RT 5.0.3 Documentation - Best Practical

Off on 4.0, on on 4.2. You sound like you want to turn it on.

-kevin