Hello, We have been removing all global permissions from the Privileged user group on our RT install, to let some important customers have access to their own support queue. In doing this, we seem to have stumbled on what appears to be a bug with the ModifyTicket setting. The user is able to search for email addresses through the "People" area of a ticket, and return a list of every email address known to rt.
Users in the CustnameEmployees group have the following permissions for their queue. The users are privileged, and I have spent most of the morning ensuring the Privleged group does not have any global rights. CreateTicket ReplyToTicket SeeQueue ShowTicket Watch Logging in as one of those users, I can see the queue, and open tickets, and I can not edit any values for the ticket information, as expected. However, when you click on the blue "People" bar at the top of a ticket, you can search for email addresses, and have valid addresses returned. The real danger comes when you search for people whose userid contains %. This returns a list of every email address known to rt. *Warning* this potentially puts a very big load on the server, and your browser. It seems that a user without ModifyTicket should not be able to search for email addresses, and nobody should be able to search for %. Has anyone else noticed this behavior? Thanks, Claude Schrader ps. thanks for RT, its been great for us. - we have managed to roll a number of legacy tools into it, having one place for everything *************************************************************************** Claude M. Schrader 302-295-4707 Network Technician 215-701-6500 x4707 Consult Dynamics/DCANet 888-4DCANet (888-432-2638) [EMAIL PROTECTED] http://www.dca.net ****************************************************************************
pgpw6SNEiJjok.pgp
Description: PGP signature
_______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com We're hiring! Come hack Perl for Best Practical: http://bestpractical.com/about/jobs.html
