Are you sure it's the global RT At a Glance? It seems everyone can modify it for themselves...
On Jun 5, 2009, at 12:55 AM, Carlos Garcia Montoro wrote: > Hi Kenn, hi everybody, > > Thank you for your answer. I was expecting the same behaviour as > you. But for my unpleasant surprise, a user who only has > - "ShowConfigTab" global right for himself. > - "ShowAprovalsTab" global right for Privileged users. And > - "CreateTicket" and "SeeQueue" in some queues as Everyone's rights > in those queues. > can do nothing harmful with the single exception of modifying the > global RT at a glance. > > This behaviour has surprised me probably as much as you. Because of > it, I want that someone else checks this configuration in order to > see whether it is my fault (I am doing something wrong) or it is a > RT bug (this happens to everybody, but it shouldn't). > > Greetings, > Carlos > > PS: I found somewhere a RT installation for testing purposes, but > users grants, including root, where so restricted, that I couldn't > reproduce the configuration I wanted. > > Ken Crocker wrote: >> Carlos, >> I may be mistaken, butI think the "ShowConfigTab" merely allows >> the user to see that tab and the functions under it. The user still >> needs to have other rights (like "ShowTemplate" and >> "ModifyTemplate") in order to see/modify templates and I'm sure the >> same situation exists for other objects to be modified. >> Kenn >> LBNL >> On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote: >>> Sorry for posting this twice, but I'm trying to make it shorter. >>> >>> Please, can anyone confirm me that a user who only has the global >>> right "ShowConfigTab" is able to modify the global RT at a glance? >>> >>> I'm using RT 3.8.2 and I would like to know if either I'm doing >>> something wrong or this is the expected behaviour. If this were >>> the second case, should this be considered a bug? >>> >>> For a longer explanation, attached you can find my previous message. >>> >>> Thanking you in advance, >>> Carlos >>> >>> ------------------------------------------------------------------------ >>> >>> Subject: >>> [rt-users] Rights issue on Configuration -> Global -> RT at a >>> glance on RT 3.8.2 >>> From: >>> Carlos Garcia Montoro <[email protected]> >>> Date: >>> Fri, 29 May 2009 12:18:06 +0200 >>> To: >>> [email protected] >>> >>> To: >>> [email protected] >>> >>> >>> Hello, >>> >>> I've a question/request about RT that I have been neither able to >>> resolve from myself, nor have I found it at the RT wiki or >>> googling this mailing list. >>> >>> I'm newbie using RT. I'm installing an organizational RT (ver. >>> 3.8.2). We have some departments that are autonomous of each >>> other. Thus, I want to grant some privileges for every admin group >>> of each department. I want to allow them to handle their own >>> queues, groups, etc. But I also want not to allow them to modify >>> others space. I have achieved this configuration, i.e. admins are >>> only able to see their groups, admins can see all queues but they >>> are only allowed to modify some properties (Cc, AdminCc,...) of >>> their own queues but not other queues. In order to do that I have >>> granted them the global right "ShowConfigTab". Otherwise they had >>> rights but they couldn't use them (they couldn't modify group >>> membership of their groups,...). >>> >>> The problem I'm suffering is this: When I grant the >>> "ShowConfigTab" right to a user or group, I'm also granting >>> privileges to modify the global RT at a glance. Let me show an >>> example: Let me create a user foo who can be granted rights ("Let >>> this user be granted rights" is checked). This new user isn't a >>> member of any group, so he has no right rather than "Everyone" and >>> "Privileged". At this moment, global rights for these groups are >>> the default (no global right for "Everyone", and only >>> "ShowApprovalsTab" for "Privileged"). In some queues "Everyone" >>> has two rights "CreateTicket" and "SeeQueue", but as far as I know >>> they only grant privileges for creating a new ticket in these >>> queues. Let this user be granted the global "ShowConfigTab" right >>> ( "Configuration" -> "Global" -> "User Rights", and there foo is >>> granted to "ShowConfigTab"). Now let foo log in. This user can see >>> the configuration tab, but he can't modify anything since he is >>> not allowed to. If he tries to modify anything RT won't allow it >>> and foo will read a permission denied message. But if foo goes to >>> "Configuration" -> "Global" -> "RT at a glance" and there he >>> deletes "QuickCreate", RT allows it saying "Global portlet body >>> saved.". Now let the privileged user bar log in. The RT at a >>> glance of bar has no longer the "QuickCreate" frame when it >>> previously had it. Hence, I don't want to grant foo the right of >>> modifying the global RT at a glance! >>> >>> Is it the expected behaviour? Am I missing anything or doing >>> something wrong? >>> >>> Thank you, >>> Carlos >>> >>> _______________________________________________ >>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users >>> >>> Community help: http://wiki.bestpractical.com >>> Commercial support: [email protected] >>> >>> >>> Discover RT's hidden secrets with RT Essentials from O'Reilly >>> Media. Buy a copy at http://rtbook.bestpractical.com >>> _______________________________________________ >>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users >>> >>> Community help: http://wiki.bestpractical.com >>> Commercial support: [email protected] >>> >>> >>> Discover RT's hidden secrets with RT Essentials from O'Reilly >>> Media. Buy a copy at http://rtbook.bestpractical.com >>> > > -- > _______ > _______________________________________________________________ > | __ __ | Carlos García Montoro Ingeniero > Informático > |_\_Y_/_| Instituto de Física Corpuscular Centro Mixto CSIC > - UV > |\_] [_/| Servicios Informáticos > | [_] | Edificio Institutos de Investigación [email protected] > |C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34 > 963543706 > |_______| España / Spain Fax: +34 > 963543488 > <cgarcia.vcf>_______________________________________________ > http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users > > Community help: http://wiki.bestpractical.com > Commercial support: [email protected] > > > Discover RT's hidden secrets with RT Essentials from O'Reilly Media. > Buy a copy at http://rtbook.bestpractical.com -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [email protected] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
