I am currently trying to get the self service module of RT working for
my site and noticed what looks like a security issue. When a user is
granted the “ShowTicket” right, they are able to change the ticket id
number in the url i.e. http:///SelfService/Display.html?id=32
to http:///SelfService/Display.html?id=33 and view a ticket
that has been requested by another user.
Is there a better way to approach this problem than granting the
Everyone group the ShowTicket right? I would really prefer to only allow
a user to see those tickets that belong to them.
University Of Northern British Columbia
Senior Systems Administrator