Users able to view all tickets using "Search" function?

Has anyone noticed with RT 3.6.1 that an otherwise unpriviledged user
(one who belongs to a group that only has CreateTicket, ReplyTicket, and
SeeQueue applied and no other perms anywhere) can do a search for "%"
and view bunch of old, resolved tickets? I’ve also noticed that certain
tickets can be viewed directly just by typing the ticket number into the
search box, but other tickets get a permission-denied error. Is this
expected behavior, or do I have a really wacky permissions problem
kicking around somewheres in my database?

–Lee

Has anyone noticed with RT 3.6.1 that an otherwise unpriviledged
user
(one who belongs to a group that only has CreateTicket, ReplyTicket,
and
SeeQueue applied and no other perms anywhere) can do a search for “%”
and view bunch of old, resolved tickets? I’ve also noticed that
certain

Nope I get this when I tried from a low level user account.
X RT Error
Couldn’t load ticket ‘%’

We are using Postgres as our database.

I tested some random ticket numbers last week when I set up this test
user and they weren’t able to get to other tickets.

What I’ve done to lock my users down is setup on each Queue
‘Everyone’ has CommentOnTicket, CreateTicket, ReplyToTicket, SeeQueue

Then on a Global basis I set up, Group Rites, Roles, Requestor to have
‘ShowTicket’. If I didn’t do this they couldn’t see a list of their own
tickets on the webpage.

There are a lot of places permissions can hide with roles & user
definited groups off the end of the page so it might be buried down
there.

  • Scott