RT self service view - Required priveleges

I am currently trying to get the self service module of RT working for
my site and noticed what looks like a security issue. When a user is
granted the “ShowTicket” right, they are able to change the ticket id
number in the url i.e. http:///SelfService/Display.html?id=32
to http:///SelfService/Display.html?id=33 and view a ticket
that has been requested by another user.

Is there a better way to approach this problem than granting the
Everyone group the ShowTicket right? I would really prefer to only allow
a user to see those tickets that belong to them.

Thanks,

Thomas

Thomas Armstrong
University Of Northern British Columbia
Senior Systems Administrator
Email: thomas@unbc.ca

-----Original Message-----

I am currently trying to get the self service module of RT
working for my site and noticed what looks like a security
issue. When a user is granted the “ShowTicket” right, they
are able to change the ticket id number in the url i.e.
http:///SelfService/Display.html?id=32
to http:///SelfService/Display.html?id=33 and view
a ticket that has been requested by another user.

Is there a better way to approach this problem than granting
the Everyone group the ShowTicket right? I would really
prefer to only allow a user to see those tickets that belong to them.

If you grant the ShowTicket in a queue or global context, that is the correct behaviour. You should grant the privilege to the role “Requestor”.

If you don’t have an email address on an account, they wont be attached as requestor to the cases they make, so make sure people have email addresses on their accounts.

Cheers, Bjorn

I am currently trying to get the self service module of RT working for
my site and noticed what looks like a security issue. When a user is
granted the “ShowTicket” right, they are able to change the ticket id
number in the url i.e. http:///SelfService/Display.html?id=32
to http:///SelfService/Display.html?id=33 and view a ticket
that has been requested by another user.

Is there a better way to approach this problem than granting the
Everyone group the ShowTicket right? I would really prefer to only allow
a user to see those tickets that belong to them.

Yes, grant the Requestor group the ShowTicket right.