Hello, yes I have to make him priviledged because he is a kind of controll instance who has to see what orders (a ticket is a order) have been made.
Thanks to all who answered. I cannot believe that noone ever thought of this as a security bug. @Kevin: no I did not grant ShowConfigTab to anyone, to be honest I didn't even know that this one existed. >Email addresses themselves are considered valuable data by some >people. In this particular case, it might also reveal customer >contacts (which could be abused for various purposes, not just sending >spam). @Florian: yes, you are absolutly right. Since a collegue found another security issue, can anyone tell me an emailadress where to send security issues that should definitly not be public? Thanks in advance Violetta Raed El-Hames schrieb: > Violetta; > > You also made these people privileged (Let this user be granted rights > is ticked), the question is do you want them to be privileged, if these > are your customers then you should untick this and force them into the > restricted SelfService, if you have to have them privileged then by > default they will see the peoples tab, and to restrict that you will > need to add extra code in few places. > > > Regards; > Roy > > > Violetta J. Wawryk wrote: >> Hi, >> >> RT is 3.6.1 on a debian system >> >> we just found out that in the people section everyone who can login >> can search for people. So a person who has the following rights: >> >> CreateTicket >> ReplyToTicket >> SeeQueue >> ShowTicket >> >> can go to the people section and do a search like: >> >> userid doesn't contain xyz >> >> he gets all the users of the RT. Since this is a security issue, is >> there anything that I can do to prevent these searches? >> >> It might be disabled in a newer version, if so which would that be? >> >> A quick search on the list didn't give me an answer, therefore I have >> to ask this. Sorry if it's been on the list before. >> >> Quick help is really appreciated, thanks in advance!!!! >> >> Regards >> Violetta >> >> -- ________________________________ creating IT solutions Violetta J. Wawryk science + computing ag IT-Service Hagellocher Weg 73 phone +49 7071 9457 282 72070 Tuebingen, Germany fax +49 7071 9457 211 www.science-computing.de -- Vorstand/Board of Management: Dr. Bernd Finkbeiner, Dr. Roland Niemeier, Dr. Arno Steitz, Dr. Ingrid Zech Vorsitzender des Aufsichtsrats/ Chairman of the Supervisory Board: Michel Lepert Sitz/Registered Office: Tuebingen Registergericht/Registration Court: Stuttgart Registernummer/Commercial Register No.: HRB 382196 _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com