On Fri, Apr 27, 2012 at 22:38, Lee Wilson <leef...@yahoo.co.uk> wrote: > Good Evening, > > I was experimenting with RT (4.0.5) last night and found that it was > possible for a non-privileged user to create tickets via the web interface > for another user regardless of if they exist or not. > > Once the ticket is created the user gets a "no permissions to view this > ticket" message so some security is going on. > > Would someone be so kind as to answer a few questions about this: > > 1) Is what I've said correct and if so is it possible to stop it without > custom coding? I'd like to restrict users to only creating tickets for > themselves, not anyone else. > > No problem if I do have to code something but wanted if there was an easier > solution. > > 2) How can I stop random new users being created when they are added as > requestors ? I'd prefer if only users I manually create are able to create > tickets. > > There were a few older threads (from 2003 - > http://www.gossamer-threads.com/lists/rt/users/17680) that referred to > external Auth or removing the create ticket right from both Unprivileged and > Everyone but this is already setup by default from what I can tell. > > If this can't be done I guess an OnCreate scrip that would auto-close the > ticket with some kind of message template informing the request why would do > the trick. > > Thanks in advance
You can achieve this slight modification to MandatoryRequestor extension[1]. [1] http://search.cpan.org/dist/RT-Extension-MandatoryRequestor/lib/RT/Extension/MandatoryRequestor.pm > > Lee -- Best regards, Ruslan.