SelfService Display.html, keep in SelfService. 3.8

I want to prevent a requestor using the SelfService web UI from
navigating into the Ticket tree, thus keeping the interface simple for
the requestor. In SelfService/Display.html, the history display utilizes
/Ticket/Elements/ShowHistory on line 75, which displays transactions
with /Ticket/Elements/ShowTransaction. In ShowTransaction, line 54,

<td rowspan="2" valign="top" class="type">
  <a name="txn-<% $Transaction->Id %>" href="<% $DisplayPath

%>#txn-<% $Transaction->Id %>">#
<% $LastTransaction ? ‘’ :
‘’|n %>

Tom Remmers
KDH Consulting
206.909.0404
tom@kdhconsulting.net

I want to prevent a requestor using the SelfService web UI from
navigating into the Ticket tree, thus keeping the interface simple for
the requestor. In SelfService/Display.html, the history display
utilizes
/Ticket/Elements/ShowHistory on line 75, which displays transactions
with /Ticket/Elements/ShowTransaction. In ShowTransaction, line 54,

That’s the whole point of SelfService. RT should automatically be
preventing users who get the SelfService UI from navigating to
anything not under /SelfService. What’s the issue?

Jesse,

In the RT 3.8 distribution, the “#” link in /SelfService/Display.html
takes you directly to /Ticket/Display.html (as an analysis of the source
code confirmed). For me, the issue is that I want to change the source
code so that either a) the /SelfService/Display.html “#” link points to
/SelfService/Display.html, or b) the “#” link is hidden.

The /SelfService/ directory is almost perfect for our requestor users -
but I want to make sure they cannot easily navigate into the /Ticket
tree. The /Ticket/Display.html page has additional options in the menu
on the left: Ticket Search, Tools, Preferences, Approval, etc. that I do
not want the standard requestor user to see. These links add no value to
my requestors and most of them will be confused by the added choices. As
a result more work will be generated by trying to explain these options,
which is the opposite of our goal in deploying RT.

Thinking about this some more, even as a SuperUser, the “#” link offers
minimal value, because it is essentially a link to itself. From a quick
inspection, /Ticket/Elements/ShowHistory is only utilized in
/Ticket/Display.html, /Ticket/History.html, and /Approvals/Display.html
— hmm, and I can live with the “#” link being hidden in all these
pages.

Best Regards,

Tom Remmers
KDH ConsultingFrom: Jesse Vincent [mailto:jesse@bestpractical.com]
Sent: Wednesday, July 30, 2008 10:28 AM
To: Tom Remmers
Cc: rt-devel@lists.bestpractical.com
Subject: Re: [Rt-devel] SelfService Display.html, keep in SelfService.
3.8.

Jesse,

In the RT 3.8 distribution, the “#” link in /SelfService/Display.html
takes you directly to /Ticket/Display.html (as an analysis of the source
code confirmed).

Do your non-privileged users get to the /Ticket/Display.html page?
Note that testing this as a staff user won’t work, as staff users have
the right to see /Ticket/Display.html

For me, the issue is that I want to change the source
code so that either a) the /SelfService/Display.html “#” link points to
/SelfService/Display.html, or b) the “#” link is hidden.

Why? RT has code to automatically get SelfService users to
/SelfService/Display.html?.. if they try to visit
/Ticket/Display.html

Keeping that link as /Ticket/Display.html means that all users, no
matter who they are, can share the unique url to the ticket and the
right thing will happen.

Thinking about this some more, even as a SuperUser, the “#” link offers
minimal value, because it is essentially a link to itself.

They are a way to share links to particular ticket updates with others.
(Page ‘anchors’)

Jesse,

Do your non-privileged users get to the /Ticket/Display.html page?

Yes. My test user is only in the Everyone group, which has the following
rights. From my online research and experimentation, these are the
minimum required to create and view tickets. It could be that one of
these rights also lets the user into /Ticket/.

CommentOnTicket, CreateTicket, ModifySelf, ReplyToTicket, SeeQueue

I reduced the rights to “CreateTicket, ReplyToTicket, SeeQueue” and
could still get to /Ticket. I can’t see reducing the rights any more
than this.

In my RT deployment, there are no groups defined and no other rights
defined. I have not yet deployed
AutoRedirectToSelfService - Request Tracker Wiki, however I
do not see how that would affect the current issue.

Why? RT has code to automatically get SelfService users to
/SelfService/Display.html?.. if they try to visit
/Ticket/Display.html

I now see code in share/html/autohandler that looks like it does the
redirection for non-Priviledged users, but the redirection does not
appear to be working in my RT deployment.

Best Regards,

TomFrom: Jesse Vincent [mailto:jesse@bestpractical.com]
Sent: Wednesday, July 30, 2008 11:28 AM
To: Tom Remmers
Cc: Jesse Vincent; rt-devel@lists.bestpractical.com
Subject: Re: [Rt-devel] SelfService Display.html, keep in SelfService.
3.8.

Jesse,

In the RT 3.8 distribution, the “#” link in /SelfService/Display.html
takes you directly to /Ticket/Display.html (as an analysis of the
source
code confirmed).

Do your non-privileged users get to the /Ticket/Display.html page?
Note that testing this as a staff user won’t work, as staff users have
the right to see /Ticket/Display.html

For me, the issue is that I want to change the source
code so that either a) the /SelfService/Display.html “#” link points
to
/SelfService/Display.html, or b) the “#” link is hidden.

Why? RT has code to automatically get SelfService users to
/SelfService/Display.html?.. if they try to visit
/Ticket/Display.html

Keeping that link as /Ticket/Display.html means that all users, no
matter who they are, can share the unique url to the ticket and the
right thing will happen.

Thinking about this some more, even as a SuperUser, the “#” link
offers
minimal value, because it is essentially a link to itself.

They are a way to share links to particular ticket updates with others.
(Page ‘anchors’)

Jesse,

Do your non-privileged users get to the /Ticket/Display.html page?

Yes. My test user is only in the Everyone group, which has the
following
rights. From my online research and experimentation, these are the
minimum required to create and view tickets. It could be that one of
these rights also lets the user into /Ticket/.

Does this user have the checkbox " Let this user be granted rights"
checked? That’s what turns a user from a self-service user into a full
user who can work with RT tickets and sees the full ui.

Jesse,

That did it. I did not realize that “Let this user be granted rights”
was equivalent to “Privileged User.” I was looking in the User →
Memberships tab to look for Privileged Group status.

Thank you for your help.

TomFrom: Jesse Vincent [mailto:jesse@bestpractical.com]
Sent: Wednesday, July 30, 2008 12:40 PM
To: Tom Remmers
Cc: rt-devel@lists.bestpractical.com
Subject: Re: [Rt-devel] SelfService Display.html, keep in SelfService.
3.8.

Jesse,

Do your non-privileged users get to the /Ticket/Display.html page?

Yes. My test user is only in the Everyone group, which has the
following
rights. From my online research and experimentation, these are the
minimum required to create and view tickets. It could be that one of
these rights also lets the user into /Ticket/.

Does this user have the checkbox " Let this user be granted rights"
checked? That’s what turns a user from a self-service user into a full
user who can work with RT tickets and sees the full ui.

CommentOnTicket, CreateTicket, ModifySelf, ReplyToTicket, SeeQueue

I reduced the rights to “CreateTicket, ReplyToTicket, SeeQueue” and
could still get to /Ticket. I can’t see reducing the rights any more
than this.

In my RT deployment, there are no groups defined and no other rights
defined. I have not yet deployed
AutoRedirectToSelfService - Request Tracker Wiki,
however I
do not see how that would affect the current issue.

Why? RT has code to automatically get SelfService users to
/SelfService/Display.html?.. if they try to visit
/Ticket/Display.html

I now see code in share/html/autohandler that looks like it does the
redirection for non-Priviledged users, but the redirection does not
appear to be working in my RT deployment.

Best Regards,

Tom

-----Original Message-----
From: Jesse Vincent [mailto:jesse@bestpractical.com]
Sent: Wednesday, July 30, 2008 11:28 AM
To: Tom Remmers
Cc: Jesse Vincent; rt-devel@lists.bestpractical.com
Subject: Re: [Rt-devel] SelfService Display.html, keep in SelfService.
3.8.

Jesse,

In the RT 3.8 distribution, the “#” link in /SelfService/Display.html
takes you directly to /Ticket/Display.html (as an analysis of the
source
code confirmed).

Do your non-privileged users get to the /Ticket/Display.html page?
Note that testing this as a staff user won’t work, as staff users have
the right to see /Ticket/Display.html

For me, the issue is that I want to change the source
code so that either a) the /SelfService/Display.html “#” link points
to
/SelfService/Display.html, or b) the “#” link is hidden.

Why? RT has code to automatically get SelfService users to
/SelfService/Display.html?.. if they try to visit
/Ticket/Display.html

Keeping that link as /Ticket/Display.html means that all users, no
matter who they are, can share the unique url to the ticket and the
right thing will happen.

Thinking about this some more, even as a SuperUser, the “#” link
offers
minimal value, because it is essentially a link to itself.

They are a way to share links to particular ticket updates with
others.
(Page ‘anchors’)