Skip the queue selection for unprivileged users

Izz_Abdullah · October 6, 2011, 1:44pm

So I have removed all the rights from a 3.8.4 migrated database into 4.0.2 for unprivileged users on all queues except the ‘General’ queue. I also have set in the SiteConfig file the DefaultQueue to “General”, but unprivileged users still receive a screen for ‘Queue selection’ when creating a new ticket, AND it allows them to create tickets in queues other than the General queue.

I am a bit stumped on this. If I have removed the permissions, why can unprivileged users still see and create tickets in other queues?

We have, for example Queue1, Queue2, Queue3, etc.
I don’t want them to see or access Queue1 - QueueN, but ONLY the General Queue.

Ruslan_Zakirov1 · October 6, 2011, 1:53pm

Hi,

Then SeeQueue and CreateTicket is granted to too many users.On Thu, Oct 6, 2011 at 3:44 PM, Izz Abdullah Izz.Abdullah@hibbett.com wrote:

So I have removed all the rights from a 3.8.4 migrated database into 4.0.2
for unprivileged users on all queues except the ‘General’ queue. I also
have set in the SiteConfig file the DefaultQueue to “General”, but
unprivileged users still receive a screen for ‘Queue selection’ when
creating a new ticket, AND it allows them to create tickets in queues other
than the General queue.

I am a bit stumped on this. If I have removed the permissions, why can
unprivileged users still see and create tickets in other queues?

We have, for example Queue1, Queue2, Queue3, etc.

I don’t want them to see or access Queue1 – QueueN, but ONLY the General
Queue.

RT Training Sessions (http://bestpractical.com/services/training.html)

San Francisco, CA, USA — October 18 & 19, 2011

Washington DC, USA — October 31 & November 1, 2011

Barcelona, Spain — November 28 & 29, 2011

Best regards, Ruslan.

Izz_Abdullah · October 6, 2011, 1:59pm

That is what I thought, but I can only ‘see’ the privileged users in the web UI since we are using LDAP authentication. So if I go instead to Tools->Configuration->Global->Group Rights, I have already removed the rights for ‘Everyone’ and ‘Unprivileged’. These two groups have no rights at all at the global level. The user groups we have defined are limited to privileged users, so this is why I am stumped removing the rights hasn’t solved my problem.From: ruslan.zakirov@gmail.com [mailto:ruslan.zakirov@gmail.com] On Behalf Of Ruslan Zakirov
Sent: Thursday, October 06, 2011 8:54 AM
To: Izz Abdullah
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

Hi,

Then SeeQueue and CreateTicket is granted to too many users.

Ruslan_Zakirov1 · October 6, 2011, 2:49pm

Hi,

Unprivileged users still can be in some groups. Use SELECT * FROM ACL
WHERE RightName = ‘SeeQueue’; This may give you a clue.On Thu, Oct 6, 2011 at 3:59 PM, Izz Abdullah Izz.Abdullah@hibbett.com wrote:

That is what I thought, but I can only ‘see’ the privileged users in the web UI since we are using LDAP authentication. So if I go instead to Tools->Configuration->Global->Group Rights, I have already removed the rights for ‘Everyone’ and ‘Unprivileged’. These two groups have no rights at all at the global level. The user groups we have defined are limited to privileged users, so this is why I am stumped removing the rights hasn’t solved my problem.

-----Original Message-----
From: ruslan.zakirov@gmail.com [mailto:ruslan.zakirov@gmail.com] On Behalf Of Ruslan Zakirov
Sent: Thursday, October 06, 2011 8:54 AM
To: Izz Abdullah
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

Hi,

Then SeeQueue and CreateTicket is granted to too many users.

On Thu, Oct 6, 2011 at 3:44 PM, Izz Abdullah Izz.Abdullah@hibbett.com wrote:

So I have removed all the rights from a 3.8.4 migrated database into 4.0.2
for unprivileged users on all queues except the ‘General’ queue. I also
have set in the SiteConfig file the DefaultQueue to “General”, but
unprivileged users still receive a screen for ‘Queue selection’ when
creating a new ticket, AND it allows them to create tickets in queues other
than the General queue.

I am a bit stumped on this. If I have removed the permissions, why can
unprivileged users still see and create tickets in other queues?

We have, for example Queue1, Queue2, Queue3, etc.

I don’t want them to see or access Queue1 – QueueN, but ONLY the General
Queue.

RT Training Sessions (http://bestpractical.com/services/training.html)

San Francisco, CA, USA — October 18 & 19, 2011

Washington DC, USA — October 31 & November 1, 2011

Barcelona, Spain — November 28 & 29, 2011

–
Best regards, Ruslan.

RT Training Sessions (http://bestpractical.com/services/training.html)

San Francisco, CA, USA October 18 & 19, 2011

Washington DC, USA October 31 & November 1, 2011

Barcelona, Spain November 28 & 29, 2011

Best regards, Ruslan.

Izz_Abdullah · October 6, 2011, 3:04pm

Interesting…I have 26 rows, all principal types of group. Of that, there are 9 unique principal ids. If I add the 3 system groups and our 6 user groups, we have 9. Thanks for the sql…I’ll look around and see why these have that right, where it came from, and I’ll post back.From: ruslan.zakirov@gmail.com [mailto:ruslan.zakirov@gmail.com] On Behalf Of Ruslan Zakirov
Sent: Thursday, October 06, 2011 9:49 AM
To: Izz Abdullah
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

Hi,

Unprivileged users still can be in some groups. Use SELECT * FROM ACL
WHERE RightName = ‘SeeQueue’; This may give you a clue.

Kenn_Crocker · October 6, 2011, 3:37pm

Izz,

check out what rights you have granted at the Queue level. Go to each Queue
and see what you did. Any of them could have granted “SeeQueue” and
“CreateTicket” granted to Everyone or unprivileged.

Kenn
LBNLOn Thu, Oct 6, 2011 at 8:04 AM, Izz Abdullah Izz.Abdullah@hibbett.comwrote:

Interesting…I have 26 rows, all principal types of group. Of that, there
are 9 unique principal ids. If I add the 3 system groups and our 6 user
groups, we have 9. Thanks for the sql…I’ll look around and see why these
have that right, where it came from, and I’ll post back.

-----Original Message-----
From: ruslan.zakirov@gmail.com [mailto:ruslan.zakirov@gmail.com] On Behalf
Of Ruslan Zakirov
Sent: Thursday, October 06, 2011 9:49 AM
To: Izz Abdullah
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

Hi,

Unprivileged users still can be in some groups. Use SELECT * FROM ACL
WHERE RightName = ‘SeeQueue’; This may give you a clue.

On Thu, Oct 6, 2011 at 3:59 PM, Izz Abdullah Izz.Abdullah@hibbett.com wrote:

That is what I thought, but I can only ‘see’ the privileged users in the
web UI since we are using LDAP authentication. So if I go instead to
Tools->Configuration->Global->Group Rights, I have already removed the
rights for ‘Everyone’ and ‘Unprivileged’. These two groups have no rights
at all at the global level. The user groups we have defined are limited to
privileged users, so this is why I am stumped removing the rights hasn’t
solved my problem.

-----Original Message-----
From: ruslan.zakirov@gmail.com [mailto:ruslan.zakirov@gmail.com] On
Behalf Of Ruslan Zakirov
Sent: Thursday, October 06, 2011 8:54 AM
To: Izz Abdullah
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

Hi,

Then SeeQueue and CreateTicket is granted to too many users.

On Thu, Oct 6, 2011 at 3:44 PM, Izz Abdullah Izz.Abdullah@hibbett.com wrote:

So I have removed all the rights from a 3.8.4 migrated database into
4.0.2
for unprivileged users on all queues except the ‘General’ queue. I also
have set in the SiteConfig file the DefaultQueue to “General”, but
unprivileged users still receive a screen for ‘Queue selection’ when
creating a new ticket, AND it allows them to create tickets in queues
other
than the General queue.

I am a bit stumped on this. If I have removed the permissions, why can
unprivileged users still see and create tickets in other queues?

We have, for example Queue1, Queue2, Queue3, etc.

I don’t want them to see or access Queue1 – QueueN, but ONLY the General
Queue.

RT Training Sessions (http://bestpractical.com/services/training.html)

San Francisco, CA, USA — October 18 & 19, 2011

Washington DC, USA — October 31 & November 1, 2011

Barcelona, Spain — November 28 & 29, 2011

–
Best regards, Ruslan.

RT Training Sessions (http://bestpractical.com/services/training.html)

San Francisco, CA, USA October 18 & 19, 2011

Washington DC, USA October 31 & November 1, 2011

Barcelona, Spain November 28 & 29, 2011

–
Best regards, Ruslan.

RT Training Sessions (http://bestpractical.com/services/training.html)

San Francisco, CA, USA October 18 & 19, 2011

Washington DC, USA October 31 & November 1, 2011

Barcelona, Spain November 28 & 29, 2011

Izz_Abdullah · October 6, 2011, 4:41pm

I had already removed from the web ui all of the privileges I could find at the group and queue level. Upon inspection in mySQL I find these oddities which have ‘SeeQueue’ rights:

Can anyone explain this? Or was there some odd inventions in the database before I came in and started the migration? :)From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kenneth Crocker
Sent: Thursday, October 06, 2011 10:38 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

Izz,

check out what rights you have granted at the Queue level. Go to each Queue and see what you did. Any of them could have granted “SeeQueue” and “CreateTicket” granted to Everyone or unprivileged.

Kenn
LBNL

Interesting…I have 26 rows, all principal types of group. Of that, there are 9 unique principal ids. If I add the 3 system groups and our 6 user groups, we have 9. Thanks for the sql…I’ll look around and see why these have that right, where it came from, and I’ll post back.

From: ruslan.zakirov@gmail.com mailto:ruslan.zakirov@gmail.com [mailto:ruslan.zakirov@gmail.com mailto:ruslan.zakirov@gmail.com] On Behalf Of Ruslan Zakirov
Sent: Thursday, October 06, 2011 9:49 AM
To: Izz Abdullah
Cc: rt-users@lists.bestpractical.com mailto:rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

Hi,

Unprivileged users still can be in some groups. Use SELECT * FROM ACL
WHERE RightName = ‘SeeQueue’; This may give you a clue.

Izz_Abdullah · October 7, 2011, 1:38pm

I still have not found the problem…any other suggestions? I found this below when running through sql.From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Izz Abdullah
Sent: Thursday, October 06, 2011 11:41 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

I had already removed from the web ui all of the privileges I could find at the group and queue level. Upon inspection in mySQL I find these oddities which have ‘SeeQueue’ rights:

Can anyone explain this? Or was there some odd inventions in the database before I came in and started the migration?

From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kenneth Crocker
Sent: Thursday, October 06, 2011 10:38 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

Izz,

check out what rights you have granted at the Queue level. Go to each Queue and see what you did. Any of them could have granted “SeeQueue” and “CreateTicket” granted to Everyone or unprivileged.

Kenn
LBNL

Interesting…I have 26 rows, all principal types of group. Of that, there are 9 unique principal ids. If I add the 3 system groups and our 6 user groups, we have 9. Thanks for the sql…I’ll look around and see why these have that right, where it came from, and I’ll post back.

From: ruslan.zakirov@gmail.com mailto:ruslan.zakirov@gmail.com [mailto:ruslan.zakirov@gmail.com mailto:ruslan.zakirov@gmail.com] On Behalf Of Ruslan Zakirov
Sent: Thursday, October 06, 2011 9:49 AM
To: Izz Abdullah
Cc: rt-users@lists.bestpractical.com mailto:rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

Hi,

Unprivileged users still can be in some groups. Use SELECT * FROM ACL
WHERE RightName = ‘SeeQueue’; This may give you a clue.

Izz_Abdullah · October 7, 2011, 2:08pm

Ok, so I think I found the problem. Before I was here, they imported all of the users from LDAP into the mysql database. I have created a new user in AD, and logged into RT and everything works as expected: can only create a ticket in the General Queue, and cannot pull up tickets other than its own. So, I am about to blow away an account in RT (remember this is test until everything is worked out, then we will migrate the database over from RT3.8.4 to RT4.0.2 which sits on a different vm) and see what the repercussions are. Removing the permissions from the unprivileged account, by going to that account manually, did not correct the security issue, so deletion is the only option I see.
So I have shredded the account…I can still see some history (when looking at tickets I know the account was associated with), now I will recreate the account. Can someone give me long-term repercussions of this?

Thanks,
IzzFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Izz Abdullah
Sent: Friday, October 07, 2011 8:39 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

I still have not found the problem…any other suggestions? I found this below when running through sql.

From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Izz Abdullah
Sent: Thursday, October 06, 2011 11:41 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

I had already removed from the web ui all of the privileges I could find at the group and queue level. Upon inspection in mySQL I find these oddities which have ‘SeeQueue’ rights:

Can anyone explain this? Or was there some odd inventions in the database before I came in and started the migration?

From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kenneth Crocker
Sent: Thursday, October 06, 2011 10:38 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

Izz,

check out what rights you have granted at the Queue level. Go to each Queue and see what you did. Any of them could have granted “SeeQueue” and “CreateTicket” granted to Everyone or unprivileged.

Kenn
LBNL

Interesting…I have 26 rows, all principal types of group. Of that, there are 9 unique principal ids. If I add the 3 system groups and our 6 user groups, we have 9. Thanks for the sql…I’ll look around and see why these have that right, where it came from, and I’ll post back.

From: ruslan.zakirov@gmail.com mailto:ruslan.zakirov@gmail.com [mailto:ruslan.zakirov@gmail.com mailto:ruslan.zakirov@gmail.com] On Behalf Of Ruslan Zakirov
Sent: Thursday, October 06, 2011 9:49 AM
To: Izz Abdullah
Cc: rt-users@lists.bestpractical.com mailto:rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

Hi,

Unprivileged users still can be in some groups. Use SELECT * FROM ACL
WHERE RightName = ‘SeeQueue’; This may give you a clue.

Izz_Abdullah · October 7, 2011, 2:29pm

Ok…so I blew away an account using the shredded, had the user log back in to RT with his LDAP credentials, and he can still see queues which he shouldn’t be able to see. What to do?From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Izz Abdullah
Sent: Friday, October 07, 2011 9:08 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

Ok, so I think I found the problem. Before I was here, they imported all of the users from LDAP into the mysql database. I have created a new user in AD, and logged into RT and everything works as expected: can only create a ticket in the General Queue, and cannot pull up tickets other than its own. So, I am about to blow away an account in RT (remember this is test until everything is worked out, then we will migrate the database over from RT3.8.4 to RT4.0.2 which sits on a different vm) and see what the repercussions are. Removing the permissions from the unprivileged account, by going to that account manually, did not correct the security issue, so deletion is the only option I see.
So I have shredded the account…I can still see some history (when looking at tickets I know the account was associated with), now I will recreate the account. Can someone give me long-term repercussions of this?

Thanks,
Izz

From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Izz Abdullah
Sent: Friday, October 07, 2011 8:39 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

I still have not found the problem…any other suggestions? I found this below when running through sql.

From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Izz Abdullah
Sent: Thursday, October 06, 2011 11:41 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

I had already removed from the web ui all of the privileges I could find at the group and queue level. Upon inspection in mySQL I find these oddities which have ‘SeeQueue’ rights:

Can anyone explain this? Or was there some odd inventions in the database before I came in and started the migration?

From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kenneth Crocker
Sent: Thursday, October 06, 2011 10:38 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

Izz,

check out what rights you have granted at the Queue level. Go to each Queue and see what you did. Any of them could have granted “SeeQueue” and “CreateTicket” granted to Everyone or unprivileged.

Kenn
LBNL

Interesting…I have 26 rows, all principal types of group. Of that, there are 9 unique principal ids. If I add the 3 system groups and our 6 user groups, we have 9. Thanks for the sql…I’ll look around and see why these have that right, where it came from, and I’ll post back.

From: ruslan.zakirov@gmail.com mailto:ruslan.zakirov@gmail.com [mailto:ruslan.zakirov@gmail.com mailto:ruslan.zakirov@gmail.com] On Behalf Of Ruslan Zakirov
Sent: Thursday, October 06, 2011 9:49 AM
To: Izz Abdullah
Cc: rt-users@lists.bestpractical.com mailto:rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

Hi,

Unprivileged users still can be in some groups. Use SELECT * FROM ACL
WHERE RightName = ‘SeeQueue’; This may give you a clue.

Skip the queue selection for unprivileged users

–
Best regards, Ruslan.

–
Best regards, Ruslan.

–
Best regards, Ruslan.

Skip the queue selection for unprivileged users

– Best regards, Ruslan.

– Best regards, Ruslan.

– Best regards, Ruslan.

–
Best regards, Ruslan.

–
Best regards, Ruslan.

–
Best regards, Ruslan.