One of my customers has just alerted me to the fact that by doing a certain search they can list tickets they shouldn't be able to see.
For example they build this search Status = 'open' OR Status = 'stalled' in Advanced and they can see rows returned for queues they do not have See Queue and Show Ticket rights for However if you put ()s round the search it works correctly (Status = 'open' OR Status = 'stalled') This is on 3.8.4 - we've got 3.8.8 on a test system and it doesn't seem to be showing the same problem on there. Anyone noticed this before?? I use UseSQLForACLChecks = 1. If I turn that off then at least they can't see things they shouldn't, but now the search results are very messed up and you might have to page until you can find a visible ticket. Justin ------------------------------------------------- Justin Hayes OpenBet Support Manager [email protected] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
