Separated queues

Hi.

I use: RT 3.0.7_01 on fedora with postgresql-7.3.4-11.

I would like to separate queues for different users.
I would not even like the users to know about each other
or other queues, etc. Has anyone used RT this way?

I did a test setup, but I could not stop users from clicking
on Configuration and then list all other users (I read the
message about hiding the tab…).

Also when searching for tickets you can choose all other owners
in the dropdown. I got “Found 1 ticket”, but none was displayed when
searching for another owner than myself.

The idea is to have our support use one system for different customer.
This way we can have an overview of all issues.
The customers should be able to login and create new tickets and
close tickets, etc, in their queue only. But it is not very good
if they know about the other tickets, customers, queues or groups.

What else must I consider to have this setup?

/Morgan

Saw this post a few days ago but only last night identified what I think is
an issue with the permissions system but very well may be its appropriate
execution and I just opened up a huge security hole and would like to run it
by your folks before rolling it out.

Requirement:
Wanted to set up so when someone logs in, they are given a list of queues to
create in but only see the queue they are a member of.

Quick Summary of environment:
RT 3.0.7_RC1
We have two front-ends (different look and feel) but one DB.
All permissions are handled through Groups, no individual user perms.

Problem:
Group A has CreateTicket and See Queue for Queue A
Group B has CreateTicket for Queue A

Now, the /Elements/SelectNewTicketQueue has:
@{$session{‘create_in_queues’}} = ();
my $q=new RT::Queues($session{‘CurrentUser’});
$q->UnLimit;
while (my $queue=$q->Next) {
if ($queue->CurrentUserHasRight(‘CreateTicket’)) {

Perhaps I am missing something, but shouldn’t this show all the Queues that
the person has CreateTicket in? The behavior I am seeing is that it only
shows the queues that the person has both SeeQueue and CreateTicket. Is the
CreateTicket right dependent on the SeeQueue right?

Now by changing the line that gets the queue list:
FROM:
my $q=new RT::Queues($session{‘CurrentUser’});

TO:
my $q=new RT::Queues($RT::SystemUser);

I then get the behavior I want and the user is presented with a list of
queues that they can create tickets in but not necessarily see.

So back to the original question: I got the result I wanted but what did I
do in the process?

Thanks in advance
A.J.-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Morgan
Nilsson
Sent: Sunday, January 04, 2004 6:21 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] Separated queues

Hi.

I use: RT 3.0.7_01 on fedora with postgresql-7.3.4-11.

I would like to separate queues for different users.
I would not even like the users to know about each other
or other queues, etc. Has anyone used RT this way?

I did a test setup, but I could not stop users from clicking
on Configuration and then list all other users (I read the
message about hiding the tab…).

Also when searching for tickets you can choose all other owners
in the dropdown. I got “Found 1 ticket”, but none was displayed when
searching for another owner than myself.

The idea is to have our support use one system for different customer.
This way we can have an overview of all issues.
The customers should be able to login and create new tickets and
close tickets, etc, in their queue only. But it is not very good
if they know about the other tickets, customers, queues or groups.

What else must I consider to have this setup?

/Morgan
rt-users mailing list
rt-users@lists.bestpractical.com
http://lists.bestpractical.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

Perhaps I am missing something, but shouldn’t this show all the Queues that
the person has CreateTicket in? The behavior I am seeing is that it only
shows the queues that the person has both SeeQueue and CreateTicket. Is the
CreateTicket right dependent on the SeeQueue right?

No. Think about the case where users submit tickets by email. You may
not want the user to know that a queue exists but may want to let them
create tickets there “blind.” If you want the user to know that the
queue exists, grant them SeeQueue.

Now by changing the line that gets the queue list:
FROM:
my $q=new RT::Queues($session{‘CurrentUser’});

TO:
my $q=new RT::Queues($RT::SystemUser);

I then get the behavior I want and the user is presented with a list of
queues that they can create tickets in but not necessarily see.

So back to the original question: I got the result I wanted but what did I
do in the process?

An end-run around the access control system. :confused:

Thanks in advance
A.J.

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Morgan
Nilsson
Sent: Sunday, January 04, 2004 6:21 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] Separated queues

Hi.

I use: RT 3.0.7_01 on fedora with postgresql-7.3.4-11.

I would like to separate queues for different users.
I would not even like the users to know about each other
or other queues, etc. Has anyone used RT this way?

I did a test setup, but I could not stop users from clicking
on Configuration and then list all other users (I read the
message about hiding the tab…).

Also when searching for tickets you can choose all other owners
in the dropdown. I got “Found 1 ticket”, but none was displayed when
searching for another owner than myself.

The idea is to have our support use one system for different customer.
This way we can have an overview of all issues.
The customers should be able to login and create new tickets and
close tickets, etc, in their queue only. But it is not very good
if they know about the other tickets, customers, queues or groups.

What else must I consider to have this setup?

/Morgan


rt-users mailing list
rt-users@lists.bestpractical.com
The rt-users Archives

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm


rt-users mailing list
rt-users@lists.bestpractical.com
The rt-users Archives

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

Request Tracker... So much more than a help desk — Best Practical Solutions – Trouble Ticketing. Free.

I looked into a similar issue in Oct. I have granted CreateTicket to
privileged users, in order to allow all internal employees to create a ticket
in any queue. Tickets can be successfully created via the e-mail gateway,
but not from the web interface.

The problem is that the queues do not appear in the queue list drop down box.
It looks like SeeQueue requirement comes from RT::Queue->Next(), which is
used in the process of populating the drop down box.

Is there another queue iterator that can be used in /Elements/SelectQueue?
Or should an option be added to RT::Queue->Next() to remove the SeeQueue
requirement.

I have attached my e-mail to the list in Oct.

Cheers,
Aaron SterrOn Thu, 8 Jan 2004, Jesse Vincent wrote:

On Thu, Jan 08, 2004 at 02:04:36PM -0500, AJ wrote:

Perhaps I am missing something, but shouldn’t this show all the Queues that
the person has CreateTicket in? The behavior I am seeing is that it only
shows the queues that the person has both SeeQueue and CreateTicket. Is the
CreateTicket right dependent on the SeeQueue right?

No. Think about the case where users submit tickets by email. You may
not want the user to know that a queue exists but may want to let them
create tickets there “blind.” If you want the user to know that the
queue exists, grant them SeeQueue.

Now by changing the line that gets the queue list:
FROM:
my $q=new RT::Queues($session{‘CurrentUser’});

TO:
my $q=new RT::Queues($RT::SystemUser);

I then get the behavior I want and the user is presented with a list of
queues that they can create tickets in but not necessarily see.

So back to the original question: I got the result I wanted but what did I
do in the process?

An end-run around the access control system. :confused:

Thanks in advance
A.J.

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Morgan
Nilsson
Sent: Sunday, January 04, 2004 6:21 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] Separated queues

Hi.

I use: RT 3.0.7_01 on fedora with postgresql-7.3.4-11.

I would like to separate queues for different users.
I would not even like the users to know about each other
or other queues, etc. Has anyone used RT this way?

I did a test setup, but I could not stop users from clicking
on Configuration and then list all other users (I read the
message about hiding the tab…).

Also when searching for tickets you can choose all other owners
in the dropdown. I got “Found 1 ticket”, but none was displayed when
searching for another owner than myself.

The idea is to have our support use one system for different customer.
This way we can have an overview of all issues.
The customers should be able to login and create new tickets and
close tickets, etc, in their queue only. But it is not very good
if they know about the other tickets, customers, queues or groups.

What else must I consider to have this setup?

/Morgan


rt-users mailing list
rt-users@lists.bestpractical.com
The rt-users Archives

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm


rt-users mailing list
rt-users@lists.bestpractical.com
The rt-users Archives

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm


Request Tracker... So much more than a help desk — Best Practical Solutions – Trouble Ticketing. Free.


rt-users mailing list
rt-users@lists.bestpractical.com
The rt-users Archives

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

mail (1.06 KB)

Sadly, I lectured the network engineers about making statements when they
don’t know the facts after hearing that they told the new IT manager that RT
was a home grown app. The same day I turn around and do the same thing to
RT about separated queues.

From one coder to another, I need to formally apologize to Jesse about
making judgments regarding the SeeQueue dependency.

For those of you who aren’t coders (ill reserve further exploration for the
devel list) let me explain since I feel that after making an ass of myself I
should at least try to defend the Best Practical methodology:

In order to provide a simple way for frontend folks to list queues without
complicating the matter and possibly having a security hole opened up, the
$q->Next method assumes the current user has SeeQueue, which, in retrospect
is a valid assumption for the typical installation. After trying to extend
the Queues modules to add a method that doesn’t do this, it became apparent
that it would have been VERY complicated to code it so that cycling through
is easy for front end people to invoke and security is maintained. Otherwise
there would have to be all these additional arguments passed to the Next in
order for it to provide the output desired, and then not all the rights
would want to be passed (AdminQueue for instance since if you cant see the
queue, you should not be able to admin it), all this additional cross
referencing the user,group,rights,and queues tables would result in a good
bit of queries and internal activity. When things get complicated, errors
are prone to happen. I found out the hard way it was way to easy for users
who knew the queue id’s and such to access info they shouldn’t without this
SeeQueue dependency.

Also, my end run around the permissions system resulted in having to change
the create ticket html, display html, etc… At least it’s nice to know that
if someone makes an error with permissions (me for example) in one page, it
doesn’t necessarily carry into the other pages.

So the quest is still on to find a clean way to list queues where create
ticket is the only dependency (perhaps a LimitToCreate function… don’t
know yet).

Can’t wait till this is deployed, I need a vacation.

A.J.From: asterr [mailto:asterr@pobox.com]
Sent: Thursday, January 08, 2004 7:58 PM
To: Jesse Vincent
Cc: AJ; rt-users@lists.bestpractical.com; ‘Morgan Nilsson’
Subject: Re: [rt-users] Separated queues

I looked into a similar issue in Oct. I have granted CreateTicket to
privileged users, in order to allow all internal employees to create a
ticket
in any queue. Tickets can be successfully created via the e-mail gateway,
but not from the web interface.

The problem is that the queues do not appear in the queue list drop down
box.
It looks like SeeQueue requirement comes from RT::Queue->Next(), which is
used in the process of populating the drop down box.

Is there another queue iterator that can be used in /Elements/SelectQueue?
Or should an option be added to RT::Queue->Next() to remove the SeeQueue
requirement.

I have attached my e-mail to the list in Oct.

Cheers,
Aaron Sterr

Perhaps I am missing something, but shouldn’t this show all the Queues
that
the person has CreateTicket in? The behavior I am seeing is that it
only
shows the queues that the person has both SeeQueue and CreateTicket. Is
the
CreateTicket right dependent on the SeeQueue right?

No. Think about the case where users submit tickets by email. You may
not want the user to know that a queue exists but may want to let them
create tickets there “blind.” If you want the user to know that the
queue exists, grant them SeeQueue.

Now by changing the line that gets the queue list:
FROM:
my $q=new RT::Queues($session{‘CurrentUser’});

TO:
my $q=new RT::Queues($RT::SystemUser);

I then get the behavior I want and the user is presented with a list of
queues that they can create tickets in but not necessarily see.

So back to the original question: I got the result I wanted but what
did I
do in the process?

An end-run around the access control system. :confused:

Thanks in advance
A.J.

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Morgan
Nilsson
Sent: Sunday, January 04, 2004 6:21 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] Separated queues

Hi.

I use: RT 3.0.7_01 on fedora with postgresql-7.3.4-11.

I would like to separate queues for different users.
I would not even like the users to know about each other
or other queues, etc. Has anyone used RT this way?

I did a test setup, but I could not stop users from clicking
on Configuration and then list all other users (I read the
message about hiding the tab…).

Also when searching for tickets you can choose all other owners
in the dropdown. I got “Found 1 ticket”, but none was displayed when
searching for another owner than myself.

The idea is to have our support use one system for different customer.
This way we can have an overview of all issues.
The customers should be able to login and create new tickets and
close tickets, etc, in their queue only. But it is not very good
if they know about the other tickets, customers, queues or groups.

What else must I consider to have this setup?

/Morgan


rt-users mailing list
rt-users@lists.bestpractical.com
The rt-users Archives

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm


rt-users mailing list
rt-users@lists.bestpractical.com
The rt-users Archives

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm


Request Tracker... So much more than a help desk — Best Practical Solutions – Trouble Ticketing. Free.


rt-users mailing list
rt-users@lists.bestpractical.com
The rt-users Archives

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm