Hi Torsten, Many thanks for your help. It is working fine now !!!
Vielen Dank !!! Best regards, Tariq -----Ursprüngliche Nachricht----- Von: Torsten Brumm [mailto:torsten.br...@googlemail.com] Gesendet: Montag, 29. März 2010 15:50 An: Tariq Doukkali Cc: rt-users@lists.bestpractical.com Betreff: Re: [rt-users] security issue Oh, just read: You granted (globally?) unpriviledged users the right to see a ticket? Thats heavy.... depending on your need i would suggest to grant ShowTicket only to Requestor (on Queue Base) Is it really needed that all users from Company 1 can see tickets created from someone of Company 1 ? Torsten 2010/3/29 Tariq Doukkali <tariq.doukk...@autoform.de>: > Hi all, > > > > if an unprivileged user click a link to open a ticket, the link below will > be shown on browser as URL-address: > > > > https://company.com/SelfService/Display.html?id=493 > > > > but if the user try to copy and past this url-adress in an other browser-tab > and changes id to 490 as shown below, > > > > https://company.com/SelfService/Display.html?id=490 > > > > the user is also able to show this ticket too. > > > > The problem is that we have a different unprivileged user (company 1, > company 2). Unprivileged users of company 1 should only be able to schow > their own ticket (not tickets of unprivileged user of company 2), but on RT > system we can change permissions for the group unprvivileged users, which > (in our case) includes all user of all companies. > > > > How can I solve the problem ??? > > > > Many thanks in advance !!! > > > > Tamodew > > > > Discover RT's hidden secrets with RT Essentials from O'Reilly Media. > Buy a copy at http://rtbook.bestpractical.com > -- MFG Torsten Brumm http://www.brumm.me http://www.elektrofeld.de Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com