The unprivileged user has currently the following rights: - ReplyToTicket - ShowTicket - ModifySelf
But the user is still able to view *all* tickts from *any* user by changing the ticket-id in the request url. How can I fix this security issue, so that the user can only see his own tickts? _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com