Why an unpriviledge user can see any ticket?

Hi,

I am testing RT 3.4.5. When I connect as an unpriviledged user , I can
select “Goto ticket” button and see a ticket which is not mine.
This is not very secure. How can I prevent this ?

Thanks in advance.

Thep SYKHEO Direction des Systèmes d’Information - IT
Department

tél : +33 (0) 1 46 25 60 41 - fax : +33 (0) 1 46 25 66 60

thep.sykheo@degremont.com

DEGREMONT, Groupe SUEZ

Les spécialistes du traitement d’eau - Water treatment
specialists

183, avenue du 18 juin 1940 - 92508 Rueil-Malmaison Cedex
France

http://www.degremont.com

This message and all attachments are confidential and intended solely for
the addressees.

Any use not in accord with its purpose, any dissemination or disclosure,
either whole or partial, is prohibited except formal approval.

If you receive this message in error, please delete it and immediately
notify the sender.

Neither Degremont Group nor any of its subsidiaries or affiliates shall be
liable for the message if altered, changed or falsified.

The RTx::RightsMatric extension should be able to tell you how
the unpriviledged group is getting the ShowTicket right.On Tue, Jun 27, 2006 at 03:08:46PM +0200, thep.sykheo@degremont.com wrote:

Hi,

I am testing RT 3.4.5. When I connect as an unpriviledged user , I can
select “Goto ticket” button and see a ticket which is not mine.
This is not very secure. How can I prevent this ?

Thanks in advance.

Thep SYKHEO Direction des Systèmes d’Information - IT
Department

tél : +33 (0) 1 46 25 60 41 - fax : +33 (0) 1 46 25 66 60

thep.sykheo@degremont.com

DEGREMONT, Groupe SUEZ

Les spécialistes du traitement d’eau - Water treatment
specialists

183, avenue du 18 juin 1940 - 92508 Rueil-Malmaison Cedex
France

http://www.degremont.com

This message and all attachments are confidential and intended solely for
the addressees.

Any use not in accord with its purpose, any dissemination or disclosure,
either whole or partial, is prohibited except formal approval.

If you receive this message in error, please delete it and immediately
notify the sender.

Neither Degremont Group nor any of its subsidiaries or affiliates shall be
liable for the message if altered, changed or falsified.


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

We’re hiring! Come hack Perl for Best Practical: http://bestpractical.com/about/jobs.html

Hi,
I found the solution. The right “ShowTicket” must be granted to Requestor
Role and not to Unpriviledged group.

Regards.

Thep SYKHEO Direction des Systèmes d’Information - IT
Department

tél : +33 (0) 1 46 25 60 41 - fax : +33 (0) 1 46 25 66 60

thep.sykheo@degremont.com

DEGREMONT, Groupe SUEZ

Les spécialistes du traitement d’eau - Water treatment
specialists

183, avenue du 18 juin 1940 - 92508 Rueil-Malmaison Cedex
France

http://www.degremont.com

         Todd Chapman                                                  
         <todd@chaka.net>                                              
                                                                    To 
         27/06/2006 16:17          thep.sykheo@degremont.com           
                                                                    cc 
                                   rt-users@lists.bestpractical.com    
                                                               Subject 
                                   Re: [rt-users] Why an unpriviledge  
                                   user can see any ticket ?           

The RTx::RightsMatric extension should be able to tell you how
the unpriviledged group is getting the ShowTicket right.

Hi,

I am testing RT 3.4.5. When I connect as an unpriviledged user , I can
select “Goto ticket” button and see a ticket which is not mine.
This is not very secure. How can I prevent this ?

Thanks in advance.

Thep SYKHEO Direction des Systèmes d’Information - IT
Department

tél : +33 (0) 1 46 25 60 41 - fax : +33 (0) 1 46 25 66 60

thep.sykheo@degremont.com

DEGREMONT, Groupe SUEZ

Les spécialistes du traitement d’eau - Water treatment
specialists

183, avenue du 18 juin 1940 - 92508 Rueil-Malmaison Cedex
France

http://www.degremont.com

This message and all attachments are confidential and intended solely for
the addressees.

Any use not in accord with its purpose, any dissemination or disclosure,
either whole or partial, is prohibited except formal approval.

If you receive this message in error, please delete it and immediately
notify the sender.

Neither Degremont Group nor any of its subsidiaries or affiliates shall
be
liable for the message if altered, changed or falsified.


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

We’re hiring! Come hack Perl for Best Practical:
http://bestpractical.com/about/jobs.html

This message and all attachments are confidential and intended solely for
the addressees.
Any use not in accord with its purpose, any dissemination or disclosure,
either whole or partial, is prohibited except formal approval.
If you receive this message in error, please delete it and immediately
notify the sender.
Neither Degremont Group nor any of its subsidiaries or affiliates shall be
liable for the message if altered, changed or falsified.