Violetta,
I just thought of an idea, but it would require a bit of work. Why
not try create some views that have only the info you want these user to
see and then remove them from RT. They can still get to the RT info thru
the views, which SHOULD suffice, since they are gonna be creating
searchs and reports. I'm not sure how your infrastructure is where you
work, but we have many users that do NOT access RT, but create their own
SQL reports all the time thru the views. We're on Orcale, but I'm sure
the same concept is doable with other DB's. I even have some SQL that I
use to create the views. I'd be MORE than happy to send it to you and
you can modify the info as per your needs. They even have comments,
which you can't get to in RT Query. Just a thought.
Kenn
LBNL
On 6/19/2009 1:22 AM, Violetta J. Wawryk wrote:
Hello,
yes I have to make him priviledged because he is a kind of controll
instance who has to see what orders (a ticket is a order) have been made.
Thanks to all who answered. I cannot believe that noone ever thought of
this as a security bug.
@Kevin: no I did not grant ShowConfigTab to anyone, to be honest I
didn't even know that this one existed.
>Email addresses themselves are considered valuable data by some
>people. In this particular case, it might also reveal customer
>contacts (which could be abused for various purposes, not just sending
>spam).
@Florian: yes, you are absolutly right.
Since a collegue found another security issue, can anyone tell me an
emailadress where to send security issues that should definitly not be
public?
Thanks in advance
Violetta
Raed El-Hames schrieb:
Violetta;
You also made these people privileged (Let this user be granted rights
is ticked), the question is do you want them to be privileged, if these
are your customers then you should untick this and force them into the
restricted SelfService, if you have to have them privileged then by
default they will see the peoples tab, and to restrict that you will
need to add extra code in few places.
Regards;
Roy
Violetta J. Wawryk wrote:
Hi,
RT is 3.6.1 on a debian system
we just found out that in the people section everyone who can login
can search for people. So a person who has the following rights:
CreateTicket
ReplyToTicket
SeeQueue
ShowTicket
can go to the people section and do a search like:
userid doesn't contain xyz
he gets all the users of the RT. Since this is a security issue, is
there anything that I can do to prevent these searches?
It might be disabled in a newer version, if so which would that be?
A quick search on the list didn't give me an answer, therefore I have
to ask this. Sorry if it's been on the list before.
Quick help is really appreciated, thanks in advance!!!!
Regards
Violetta
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
