Security concern for RT 3.3/3.4 CF access controls

If a user of RT 3.3/3.4 is not allowed to see the value
of certain custom fields, what keeps them from seeing
the value being set in the ticket history. Is a rights
check done for each transaction?

And yes, I’m too busy at the moment to look at the code
myself. :slight_smile:

BTW, Asset Tracker v0.1alpha is coming along nicely!

-Todd

A quick test in 3.3.12 suggests there’s nothing to prevent the user from
seeing the transaction in the ticket history.

Steve

At Thursday 12/2/2004 02:15 PM, Todd Chapman wrote:

If a user of RT 3.3/3.4 is not allowed to see the value
of certain custom fields, what keeps them from seeing
the value being set in the ticket history. Is a rights
check done for each transaction?

And yes, I’m too busy at the moment to look at the code
myself. :slight_smile:

BTW, Asset Tracker v0.1alpha is coming along nicely!

-Todd


Rt-devel mailing list
Rt-devel@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel

Stephen Turner
Senior Programmer/Analyst - Client Support Services
Information Services and Technology (IS&T)

sturner@mit.edu

A quick test in 3.3.12 suggests there’s nothing to prevent the user from
seeing the transaction in the ticket history.

Yep. I expect to have this fixed today.

A quick test in 3.3.12 suggests there’s nothing to prevent the user from
seeing the transaction in the ticket history.

Revision 1953 fixes this issue. I’ve got a couple more things to go in
before the next point release, which I may try to make 3.4RC1.