Before I post a bug report I wanted to find out if I misunderstood the
example on pages 113-114 “Personal To-Do Lists”.
After a “miss-reading” I changed the ACL’s to the correct setting but a
ToDo Queue item I created is visible to other, normal-Privledged, users.
Initially I set the ACLs so Everyone ( instead of Priviledged Users )
could SeeQueue, CreateTicket, and OwnTicket. But the Owner group was
set correctly(?): CommentOnTicket, ShowTicket, ShowTicketComments,
ReplyToTicket, and ModifyTicket.
I accessed the Ticket ( as another user ) with the Everyone ACLs set
then went back and corrected them but can still access the ticket as
that and other users.
Did I missunderstand the ACLs? Can there be a Queue everyone can access
but they can only see their tickets?
Oh yeah! RT 3.4.4
Rod
Did I missunderstand the ACLs? Can there be a Queue everyone can access
but they can only see their tickets?
Yes. but you need to make sure that only owner and/or requestor can
ShowTicket.
I am also experiencing problems with a ToDo queue. I have RT 3.4.2 and
have followed the setting as per the book. Privileged users cannot see
the queue in the “Quick Search” list. To get the ToDo queue visible I
also need to grant show ticket to Privileged, which obviously means it
is no longer personal.
I have tried putting the different rights on different groups but have
had no success.
What am I missing???
– Sean
Dr Sean M Killen
UNIX Support Officer
Faculty of Biological Sciences
L C Miall Building
University of Leeds
LEEDS
LS2 9JT
United Kingdom
Tel: +44 (0)113 3433148
Mob: +44 (0)776 8670907
Fax: +44 (0)113 3433167
GnuPG Key ID: ee0d36f0
Jesse Vincent wrote:
Did I missunderstand the ACLs? Can there be a Queue everyone can access
but they can only see their tickets?
Yes. but you need to make sure that only owner and/or requestor can
ShowTicket.
Sorry, I didn’t realize I had only replied to Jesse. Here is the
message again.
Jesse, Ruslan;
Ah, found it. I had granted “Global” rights to the group the users were
in that I was testing with. I needed/wanted to grant on their queue(s)
and must have fat-fingered it
Thanks for the clue-stick.
Rod
Jesse Vincent wrote:
Did I missunderstand the ACLs? Can there be a Queue everyone can access
but they can only see their tickets?
Yes. but you need to make sure that only owner and/or requestor can
ShowTicket.
Sorry, I didn’t realize I had only replied to Jesse. Here is the
message again.
Jesse, Ruslan;
Ah, found it. I had granted “Global” rights to the group the users were
in that I was testing with. I needed/wanted to grant on their queue(s)
and must have fat-fingered it
Thanks for the clue-stick.
Soon I will be making the first public release of RTx::RightMatrix.
This RT extension makes it really easy to see all the rights a
user, group, or role has. You can then click on a right and see
all the different was that the user/group/role was granted that right.
-Todd
Soon I will be making the first public release of RTx::RightMatrix.
This RT extension makes it really easy to see all the rights a
user, group, or role has. You can then click on a right and see
all the different was that the user/group/role was granted that right.
Woo, and likewise hoo!
How hard would it be to extend that into something like a debug mode,
where the system could log which path of rights permitted something
when it’s done? Or does it already log that?
Cheers,
– jra
Jay R. Ashworth jra@baylink.com
Designer Baylink RFC 2100
Ashworth & Associates The Things I Think '87 e24
St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274
"NPR has a lot in common with Nascar... we both turn to the left."
- Peter Sagal, on Wait Wait, Don't Tell Me!
Soon I will be making the first public release of RTx::RightMatrix.
This RT extension makes it really easy to see all the rights a
user, group, or role has. You can then click on a right and see
all the different was that the user/group/role was granted that right.
Woo, and likewise hoo!
How hard would it be to extend that into something like a debug mode,
where the system could log which path of rights permitted something
when it’s done? Or does it already log that?
When Principal::HasRight is called, many strange and wonderous
things happen. To over simplify it, some fancy SQl queries are
built that are essentially:
select count(id) from ACL where
So HasRight does not trigger on a spscific right, but by the
existence of one or more Acces Control Entries that would satisfy
the criteria.
My extension, (which is avaliable now in subversion) will help you
figure out after the fact how the user was able to do .
-Todd