Dear list, I wrote on 6/28/07:
I'd like to stop the customer from changing the ticket state after it was moved to queue to which that customer has read only access (via group access)
I've enabled customer groups, the customer is a member of the specified group with ro access, the queue belongs to the specified group.
Should I assume that this is buggy behaviour and report it as bug or am I overlooking something? Additional info: 1) Both agents and customers are authenticated to AD domain controllers using LDAP backend. 2) I tried also restricting the possibility of changing state using ACL, to no effect. Attached is slightly neutered Kernel/Config.pm file, so that you could see what was changed. As this is the only problem that prevents me from introducing OTRS in our part of the organization, I'd really like to find the culprit... Best regards Miroslaw Baran
# -- # Kernel/Config.pm - Config file for OTRS kernel # Copyright (C) 2001-2006 OTRS GmbH, http://otrs.org/ # -- # $Id: Config.pm.dist,v 1.18 2006/09/07 16:15:41 mh Exp $ # -- # This software comes with ABSOLUTELY NO WARRANTY. For details, see # the enclosed file COPYING for license information (GPL). If you # did not receive this file, see http://www.gnu.org/licenses/gpl.txt. # -- # Note: # # -->> OTRS does have a lot of config settings. For more settings # (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator, # LDAP, PostMaster, Session, Preferences, ...) see # Kernel/Config/Defaults.pm and copy your wanted lines into "this" # config file. This file will not be changed on update! # # -- package Kernel::Config; BEGIN { if (-f '/etc/otrs/database.pm') { require '/etc/otrs/database.pm'; if ($dbtype eq 'pgsql') { $dbport ||= '5432'; our $dsn = "DBI:Pg:dbname"; } else { $dbport ||= '3306'; our $dsn = "DBI:mysql:database"; } } } sub Load { my $Self = shift; # ---------------------------------------------------- # # ---------------------------------------------------- # # # # Start of your own config options!!! # # # # ---------------------------------------------------- # # ---------------------------------------------------- # # ---------------------------------------------------- # # database settings # # ---------------------------------------------------- # # DatabaseHost # (The database host.) $Self->{DatabaseHost} = $dbserver || 'localhost'; # Database # (The database name.) $Self->{Database} = $dbname || 'otrs'; # DatabaseUser # (The database user.) $Self->{DatabaseUser} = $dbuser || 'otrs'; # DatabasePw # (The password of database user. You also can use bin/CryptPassword.pl # for crypted passwords.) $Self->{DatabasePw} = $dbpass; # DatabaseDSN # (The database DSN for MySQL ==> more: "man DBD::mysql") $Self->{DatabaseDSN} = "$dsn=$Self->{Database};host=$Self->{DatabaseHost};port=$dbport;"; # (The database DSN for PostgreSQL ==> more: "man DBD::Pg") # if you want to use a local socket connection # $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};"; # if you want to use a tcpip connection # $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};"; # ---------------------------------------------------- # # fs root directory # ---------------------------------------------------- # $Self->{Home} = '/usr/share/otrs'; # ---------------------------------------------------- # # insert your own config settings "here" # # config settings taken from Kernel/Config/Defaults.pm # # ---------------------------------------------------- # # $Self->{SessionUseCookie} = 0; $Self->{CheckMXRecord} = 0; # ---------------------------------------------------- # # GimelDat default settings for the ticketing system # # ---------------------------------------------------- # $Self->{'SecureMode'} = 1; $Self->{'DefaultPreViewLines'} = '25'; $Self->{'AttachmentDownloadType'} = 'inline'; $Self->{'PostmasterAutoHTML2Text'} = '1'; $Self->{'PostmasterFollowUpSearchInBody'} = 1; $Self->{'PostmasterFollowUpSearchInAttachment'} = 1; # we're using our own priorities $Self->{'PostmasterDefaultPriority'} = 'Minor'; $Self->{'CustomerGroupSupport'} = 1; $Self->{'SwitchToUser'} = '1'; $Self->{'System::Customer::Permission'} = [ 'ro', 'rw', 'priority' ]; # we definitely don't need very long ticket numbers $Self->{'Ticket::NumberGenerator'} = 'Kernel::System::Ticket::Number::AutoIncrement'; $Self->{'Ticket::Responsible'} = 1; $Self->{'Ticket::Type'} = '1'; $Self->{'Ticket::Service'} = '1'; $Self->{'Ticket::Hook'} = 'Case#'; $Self->{'PDF::LogoFile'} = '/var/lib/otrs/customized_logo.jpg'; # ---------------------------------------------------- # # GimelDat interface customizations # # ---------------------------------------------------- # $Self->{'ProductName'} = 'Aleph Beth Case Tracker'; $Self->{'Organization'} = 'GimelDat'; $Self->{'SystemID'} = '0'; $Self->{'FQDN'} = 'gimel.dat.invalid'; $Self->{'HttpType'} = 'https'; $Self->{'ScriptAlias'} = 'support/'; $Self->{'DefaultLanguage'} = 'en'; $Self->{'DefaultUsedLanguages'} = { 'en' => 'English' }; $Self->{'DefaultCharset'} = 'utf-8'; $Self->{'AdminEmail'} = '[EMAIL PROTECTED]'; $Self->{'DefaultTheme'} = 'GimelDat'; $Self->{'NotificationSenderName'} = 'GimelDat Case Tracker Notification'; $Self->{'NotificationSenderEmail'} = '[EMAIL PROTECTED]'; $Self->{'Frontend::ImagePath'} = '/support-web/images/GimelDat/'; $Self->{'SpellChecker'} = 0; $Self->{'SpellCheckerDictDefault'} = 'English'; $Self->{'Ticket::Frontend::BulkFeatureJavaScriptAlert'} = 0; $Self->{'Ticket::Frontend::CustomerTicketMessage'}->{'PriorityDefault'} = 'Minor'; $Self->{'Ticket::Frontend::CustomerTicketMessage'}->{'Priority'} = '1'; $Self->{'CustomerPanelOwnSelection'} = {'Misc' => 'Default'}; # ---------------------------------------------------- # # GimelDat Active Directory integration follows # # ---------------------------------------------------- # my @domain_controllers = ( 'dc01.gimel.dat.invalid' ); my $ad_search_dn = 'CN=LDAP reader,ou=Service Accounts,dc=gimel,dc=dat,dc=invalid'; my $ad_search_pw = 'kumquat'; my $ad_agents_group = 'CN=Ticket Agents,OU=Security groups,dc=gimel,dc=dat,dc=invalid'; my $ad_customers_group = 'CN=Customers,OU=Security groups,dc=gimel,dc=dat,dc=invalid'; # Agent integration configuration $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = [EMAIL PROTECTED]; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=gimel,dc=dat,dc=invalid'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; # Check if the user is allowed to auth using group object $Self->{'AuthModule::LDAP::GroupDN'} = $ad_agents_group; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; # for posixGroup just use 'memberUid' $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; # for posixGroup just use 'uid' # Required by Active Directory (does not allow anonymous searches) $Self->{'AuthModule::LDAP::SearchUserDN'} = $ad_search_dn; $Self->{'AuthModule::LDAP::SearchUserPw'} = $ad_search_pw; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = ''; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; $Self->{UserSyncLDAPMap} = { Firstname => 'givenName', Lastname => 'sn', Email => 'mail', }; # Customer integration configuration $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = [EMAIL PROTECTED]; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=gimel,dc=dat,dc=invalid'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'Customer::AuthModule::LDAP::GroupDN'} = $ad_customers_group; $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member'; # memberUid for posixGroup $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; # uid for posixGroup # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = $ad_search_dn; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = $ad_search_pw; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = ''; # in case you want to add a suffix to each customer login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists [EMAIL PROTECTED] #$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com'; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'Customer::AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; $Self->{CustomerUser} = { Name => 'LDAP Source', Module => 'Kernel::System::CustomerUser::LDAP', Params => { # ldap host Host => [EMAIL PROTECTED], # ldap base dn BaseDN => 'dc=gimel,dc=dat,dc=invalid', # search scope (one|sub) SSCOPE => 'sub', # Absolutely necessary for Active Directory UserDN => $ad_search_dn, # Needs to be fully qualified active directory domain name (user at domain.com) UserPw => $ad_search_pw, }, # customer uniq id CustomerKey => 'sAMAccountName', CustomerID => 'mail', CustomerUserListFields => ['givenName', 'sn', 'mail'], CustomerUserSearchFields => ['displayName','sAMAccountName','givenName', 'sn', 'mail','description'], CustomerUserPostMasterSearchFields => ['displayName','sAMAccountName','givenName','sn','mail','description'], CustomerUserNameFields => ['givenName', 'sn'], CustomerUserValidFilter => '(memberOf=' . $ad_customers_group . ')', Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], [ 'UserFirstname', 'Firstname', 'givenName', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], [ 'UserPhone', 'Phone', 'telephoneNumber', 1, 0, 'var' ], [ 'UserAddress', 'Address', 'postalAddress', 1, 0, 'var' ], [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ], ], }; # ---------------------------------------------------- # # ACL definition # # ---------------------------------------------------- # $Self->{'TicketACL'}->{'prevent-junk-reopen'} = { Properties => { Ticket => { Queue => ['Junk'], }, }, Possible => { Ticket => { State => ['closed sucessful', 'removed'], }, }, PossibleNot => { Ticket => { State => ['open'], }, }, }; # ---------------------------------------------------- # # data inserted by installer # # ---------------------------------------------------- # # $DIBI$ # ---------------------------------------------------- # # ---------------------------------------------------- # # # # End of your own config options!!! # # # # ---------------------------------------------------- # # ---------------------------------------------------- # } # ---------------------------------------------------- # # needed system stuff (don't edit this) # # ---------------------------------------------------- # use strict; use vars qw(@ISA $VERSION); use Kernel::Config::Defaults; push (@ISA, 'Kernel::Config::Defaults'); $VERSION = '$Revision: 1.18 $'; $VERSION =~ s/^\$.*:\W(.*)\W.+?$/$1/; # -----------------------------------------------------# 1;
_______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? => http://www.otrs.com/
