ruz at bestpractical
Apr 30, 2012, 7:00 AM
Post #2 of 2
On Fri, Apr 27, 2012 at 22:38, Lee Wilson <leefm40 [at] yahoo> wrote:
Re: Non-Privileged User can create requestors for other users
[In reply to]
> Good Evening,
> I was experimenting with RT (4.0.5) last night and found that it was
> possible for a non-privileged user to create tickets via the web interface
> for another user regardless of if they exist or not.
> Once the ticket is created the user gets a "no permissions to view this
> ticket" message so some security is going on.
> Would someone be so kind as to answer a few questions about this:
> 1) Is what I've said correct and if so is it possible to stop it without
> custom coding? I'd like to restrict users to only creating tickets for
> themselves, not anyone else.
> No problem if I do have to code something but wanted if there was an easier
> 2) How can I stop random new users being created when they are added as
> requestors ? I'd prefer if only users I manually create are able to create
> There were a few older threads (from 2003 -
> http://www.gossamer-threads.com/lists/rt/users/17680) that referred to
> external Auth or removing the create ticket right from both Unprivileged and
> Everyone but this is already setup by default from what I can tell.
> If this can't be done I guess an OnCreate scrip that would auto-close the
> ticket with some kind of message template informing the request why would do
> the trick.
> Thanks in advance
You can achieve this slight modification to MandatoryRequestor extension.
Best regards, Ruslan.