Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Request Tracker: Users

Non-Privileged User can create requestors for other users

 

 

Request Tracker users RSS feed   Index | Next | Previous | View Threaded


leefm40 at yahoo

Apr 27, 2012, 11:38 AM

Post #1 of 2 (275 views)
Permalink
Non-Privileged User can create requestors for other users

Good Evening,

I was experimenting with RT (4.0.5) last night and found that it was
possible for a non-privileged user to create tickets via the web
interface for another user regardless of if they exist or not.

Once the ticket is created the user gets a "no permissions to view this
ticket" message so some security is going on.

Would someone be so kind as to answer a few questions about this:

1) Is what I've said correct and if so is it possible to stop it without
custom coding? I'd like to restrict users to only creating tickets for
themselves, not anyone else.

No problem if I do have to code something but wanted if there was an
easier solution.

2) How can I stop random new users being created when they are added as
requestors ? I'd prefer if only users I manually create are able to
create tickets.

There were a few older threads (from 2003 -
http://www.gossamer-threads.com/lists/rt/users/17680) that referred to
external Auth or removing the create ticket right from both Unprivileged
and Everyone but this is already setup by default from what I can tell.

If this can't be done I guess an OnCreate scrip that would auto-close
the ticket with some kind of message template informing the request why
would do the trick.

Thanks in advance

Lee


ruz at bestpractical

Apr 30, 2012, 7:00 AM

Post #2 of 2 (226 views)
Permalink
Re: Non-Privileged User can create requestors for other users [In reply to]

On Fri, Apr 27, 2012 at 22:38, Lee Wilson <leefm40 [at] yahoo> wrote:
> Good Evening,
>
> I was experimenting with RT (4.0.5) last night and found that it was
> possible for a non-privileged user to create tickets via the web interface
> for another user regardless of if they exist or not.
>
> Once the ticket is created the user gets a "no permissions to view this
> ticket" message so some security is going on.
>
> Would someone be so kind as to answer a few questions about this:
>
> 1) Is what I've said correct and if so is it possible to stop it without
> custom coding? I'd like to restrict users to only creating tickets for
> themselves, not anyone else.
>
> No problem if I do have to code something but wanted if there was an easier
> solution.
>
> 2) How can I stop random new users being created when they are added as
> requestors ? I'd prefer if only users I manually create are able to create
> tickets.
>
> There were a few older threads (from 2003 -
> http://www.gossamer-threads.com/lists/rt/users/17680)  that referred to
> external Auth or removing the create ticket right from both Unprivileged and
> Everyone but this is already setup by default from what I can tell.
>
> If this can't be done I guess an OnCreate scrip that would auto-close the
> ticket with some kind of message template informing the request why would do
> the trick.
>
> Thanks in advance


You can achieve this slight modification to MandatoryRequestor extension[1].

[1] http://search.cpan.org/dist/RT-Extension-MandatoryRequestor/lib/RT/Extension/MandatoryRequestor.pm


>
> Lee



--
Best regards, Ruslan.

Request Tracker users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.