Kenneth and Bill, Thank you - I got so frustrated that I removed all permissions, ended up locking my self out, logged in with root and found the solution.
Seems I had under Admin > Global > Group Rights in the Everyone Rights for Administrators the box for ‘Do anything and everything’ was checked. Once I unchecked it and started to set permissions on a queue level I got it to work like a charm.
Thanks again for all your help guys.
Michael J----- Original Message -----
From: “Kenneth Crocker” firstname.lastname@example.org
To: “Michael Jablonski” email@example.com
Sent: Friday, March 13, 2015 9:38:10 AM
Subject: Re: [rt-users] User able to view, comment, reply to tickets not belonging to themselves
Bill is right. You have to be careful how you grant rights. I’ve attahced an excerpt from my eBook “Request tracker for Beginners - A Topical Guide”. I have a complet section on rights that includes group rights and rights/permissions for Custom Fields as well as how you should set up global and Queue rights.
I’d be happy to answer questions you once you’ve read it.
On Thu, Mar 12, 2015 at 3:41 PM, Michael Jablonski < firstname.lastname@example.org > wrote:
I currently have RT 4.2.9 installed. I have the ability for our customers to log in and view their open and resolved tickets. This all works great and they can comment, reply and change the status on their tickets. However my issue is this: in the URL "domain.tld/SelfService/Display.html?id= 1503120001 ". After the id= it displays the ticket number.
If I am a cleaver user I can easily understand the ticketing number and change it to 1503110001 and see the ticket that belongs to someone else, and they have the ability to comment, reply etc.
I am looking for a way to either
- Not have the ticket number displayed in the URL
- Not have the ability to view other tickets that do not belong to the user logged in
Thanks in advance if anyone can help me with this.
XMission Support Manager