User able to view, comment, reply to tickets not belonging to themselves

Hello everyone,

I currently have RT 4.2.9 installed. I have the ability for our customers to log in and view their open and resolved tickets. This all works great and they can comment, reply and change the status on their tickets. However my issue is this: in the URL "domain.tld/SelfService/Display.html?id= 1503120001 ". After the id= it displays the ticket number.
If I am a cleaver user I can easily understand the ticketing number and change it to 1503110001 and see the ticket that belongs to someone else, and they have the ability to comment, reply etc.

I am looking for a way to either

  1. Not have the ticket number displayed in the URL
  2. Not have the ability to view other tickets that do not belong to the user logged in

Thanks in advance if anyone can help me with this.

Michael Jab
XMission Support Manager

Hello everyone,

I currently have RT 4.2.9 installed. I have the ability for our
customers to log in and view their open and resolved tickets. This all
works great and they can comment, reply and change the status on their
tickets. However my issue is this: in the URL
"domain.tld/SelfService/Display.html?id= 1503120001 ". After the id=
it displays the ticket number.
If I am a cleaver user I can easily understand the ticketing number
and change it to 1503110001 and see the ticket that belongs to someone
else, and they have the ability to comment, reply etc.

I am looking for a way to either

  1. Not have the ticket number displayed in the URL

Entirely infeasible, also not a solution, since it only slightly raises
the cleverness bar. RT depends on having unique URLs for tickets.

  1. Not have the ability to view other tickets that do not belong to
    the user logged in

That’s what you get with the default Rights configuration. You may have
assigned overly-permissive Rights to the System groups "Everyone"
and/or “Unprivileged.” On the Admin/Global/GroupRights.html page,
uncheck ‘View ticket summaries’ (ShowTicket) for those groups.
Unprivileged users should only get a ShowTicket Right by way of having a
Requestor or Cc role. You should also confirm that those roles DO have
it granted.

Kenneth and Bill, Thank you - I got so frustrated that I removed all permissions, ended up locking my self out, logged in with root and found the solution.
Seems I had under Admin > Global > Group Rights in the Everyone Rights for Administrators the box for ‘Do anything and everything’ was checked. Once I unchecked it and started to set permissions on a queue level I got it to work like a charm.

Thanks again for all your help guys.

Michael J----- Original Message -----

From: “Kenneth Crocker” kenn.crocker@gmail.com
To: “Michael Jablonski” jab@xmission.com
Sent: Friday, March 13, 2015 9:38:10 AM
Subject: Re: [rt-users] User able to view, comment, reply to tickets not belonging to themselves

Michael,

Bill is right. You have to be careful how you grant rights. I’ve attahced an excerpt from my eBook “Request tracker for Beginners - A Topical Guide”. I have a complet section on rights that includes group rights and rights/permissions for Custom Fields as well as how you should set up global and Queue rights.

I’d be happy to answer questions you once you’ve read it.

Kenn

On Thu, Mar 12, 2015 at 3:41 PM, Michael Jablonski < jab@xmission.com > wrote:

Hello everyone,

I currently have RT 4.2.9 installed. I have the ability for our customers to log in and view their open and resolved tickets. This all works great and they can comment, reply and change the status on their tickets. However my issue is this: in the URL "domain.tld/SelfService/Display.html?id= 1503120001 ". After the id= it displays the ticket number.
If I am a cleaver user I can easily understand the ticketing number and change it to 1503110001 and see the ticket that belongs to someone else, and they have the ability to comment, reply etc.

I am looking for a way to either

  1. Not have the ticket number displayed in the URL
  2. Not have the ability to view other tickets that do not belong to the user logged in

Thanks in advance if anyone can help me with this.

Michael Jab
XMission Support Manager