Re: [rt-users] security issue
Hi Torsten, Many thanks for your help. It is working fine now !!! Vielen Dank !!! Best regards, Tariq -Ursprüngliche Nachricht- Von: Torsten Brumm [mailto:torsten.br...@googlemail.com] Gesendet: Montag, 29. März 2010 15:50 An: Tariq Doukkali Cc: rt-users@lists.bestpractical.com Betreff: Re: [rt-users] security issue Oh, just read: You granted (globally?) unpriviledged users the right to see a ticket? Thats heavy depending on your need i would suggest to grant ShowTicket only to Requestor (on Queue Base) Is it really needed that all users from Company 1 can see tickets created from someone of Company 1 ? Torsten 2010/3/29 Tariq Doukkali : > Hi all, > > > > if an unprivileged user click a link to open a ticket, the link below will > be shown on browser as URL-address: > > > > https://company.com/SelfService/Display.html?id=493 > > > > but if the user try to copy and past this url-adress in an other browser-tab > and changes id to 490 as shown below, > > > > https://company.com/SelfService/Display.html?id=490 > > > > the user is also able to show this ticket too. > > > > The problem is that we have a different unprivileged user (company 1, > company 2). Unprivileged users of company 1 should only be able to schow > their own ticket (not tickets of unprivileged user of company 2), but on RT > system we can change permissions for the group unprvivileged users, which > (in our case) includes all user of all companies. > > > > How can I solve the problem ??? > > > > Many thanks in advance !!! > > > > Tamodew > > > > Discover RT's hidden secrets with RT Essentials from O'Reilly Media. > Buy a copy at http://rtbook.bestpractical.com > -- MFG Torsten Brumm http://www.brumm.me http://www.elektrofeld.de Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] security issue
Oh, just read: You granted (globally?) unpriviledged users the right to see a ticket? Thats heavy depending on your need i would suggest to grant ShowTicket only to Requestor (on Queue Base) Is it really needed that all users from Company 1 can see tickets created from someone of Company 1 ? Torsten 2010/3/29 Tariq Doukkali : > Hi all, > > > > if an unprivileged user click a link to open a ticket, the link below will > be shown on browser as URL-address: > > > > https://company.com/SelfService/Display.html?id=493 > > > > but if the user try to copy and past this url-adress in an other browser-tab > and changes id to 490 as shown below, > > > > https://company.com/SelfService/Display.html?id=490 > > > > the user is also able to show this ticket too. > > > > The problem is that we have a different unprivileged user (company 1, > company 2). Unprivileged users of company 1 should only be able to schow > their own ticket (not tickets of unprivileged user of company 2), but on RT > system we can change permissions for the group unprvivileged users, which > (in our case) includes all user of all companies. > > > > How can I solve the problem ??? > > > > Many thanks in advance !!! > > > > Tamodew > > > > Discover RT's hidden secrets with RT Essentials from O'Reilly Media. > Buy a copy at http://rtbook.bestpractical.com > -- MFG Torsten Brumm http://www.brumm.me http://www.elektrofeld.de Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] security issue
Hi, think this is a config error at your installation, tried it out just in my installation and all i get is: No permission to display that ticket RT Rights Setup is really clean and good! Possibly the requestor of Ticket 490 is the same like for ticket 493 ?? Torsten 2010/3/29 Tariq Doukkali > > Hi all, > > > > if an unprivileged user click a link to open a ticket, the link below will > be shown on browser as URL-address: > > > > https://company.com/SelfService/Display.html?id=493 > > > > but if the user try to copy and past this url-adress in an other browser-tab > and changes id to 490 as shown below, > > > > https://company.com/SelfService/Display.html?id=490 > > > > the user is also able to show this ticket too. > > > > The problem is that we have a different unprivileged user (company 1, company > 2). Unprivileged users of company 1 should only be able to schow their own > ticket (not tickets of unprivileged user of company 2), but on RT system we > can change permissions for the group unprvivileged users, which (in our case) > includes all user of all companies. > > > > How can I solve the problem ??? > > > > Many thanks in advance !!! > > > > Tamodew > > > > Discover RT's hidden secrets with RT Essentials from O'Reilly Media. > Buy a copy at http://rtbook.bestpractical.com -- MFG Torsten Brumm http://www.brumm.me http://www.elektrofeld.de Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
[rt-users] security issue
Hi all, if an unprivileged user click a link to open a ticket, the link below will be shown on browser as URL-address: https://company.com/SelfService/Display.html?id=493 but if the user try to copy and past this url-adress in an other browser-tab and changes id to 490 as shown below, https://company.com/SelfService/Display.html?id=490 the user is also able to show this ticket too. The problem is that we have a different unprivileged user (company 1, company 2). Unprivileged users of company 1 should only be able to schow their own ticket (not tickets of unprivileged user of company 2), but on RT system we can change permissions for the group unprvivileged users, which (in our case) includes all user of all companies. How can I solve the problem ??? Many thanks in advance !!! Tamodew Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com