Re: [rt-users] skip the queue selection for unprivileged users

[Izz Abdullah]

I had already removed from the web ui all of the privileges I could find at the 
group and queue level.  Upon inspection in mySQL I find these oddities which 
have 'SeeQueue' rights:

Groups Table:
5 |      | Pseudogroup for internal use | SystemInternal | Unprivileged |       
 0 |       0 | NULL    |             0 | NULL
4 |      | Pseudogroup for internal use | SystemInternal | Privileged |        
0 |       0 | NULL    |             0 | NULL
52233 | User 52232 | ACL equiv. for user 52232 | ACLEquivalence | UserEquiv |   
 52232 |       0 | NULL    |             0 | NULL
25 | User 24 | ACL equiv. for user 24 | ACLEquivalence | UserEquiv |       24 | 
      0 | NULL    |             0 | NULL

Can anyone explain this? Or was there some odd inventions in the database 
before I came in and started the migration? :)

From: rt-users-boun...@lists.bestpractical.com 
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kenneth Crocker
Sent: Thursday, October 06, 2011 10:38 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] skip the queue selection for unprivileged users

Izz,

check out what rights you have granted at the Queue level. Go to each Queue and 
see what you did. Any of them could have granted "SeeQueue" and "CreateTicket" 
granted to Everyone or unprivileged.

Kenn
LBNL
On Thu, Oct 6, 2011 at 8:04 AM, Izz Abdullah 
<izz.abdul...@hibbett.com<mailto:izz.abdul...@hibbett.com>> wrote:
Interesting...I have 26 rows, all principal types of group.  Of that, there are 
9 unique principal ids.  If I add the 3 system groups and our 6 user groups, we 
have 9.  Thanks for the sql...I'll look around and see why these have that 
right, where it came from, and I'll post back.

-----Original Message-----
From: ruslan.zaki...@gmail.com<mailto:ruslan.zaki...@gmail.com> 
[mailto:ruslan.zaki...@gmail.com<mailto:ruslan.zaki...@gmail.com>] On Behalf Of 
Ruslan Zakirov
Sent: Thursday, October 06, 2011 9:49 AM
To: Izz Abdullah
Cc: rt-users@lists.bestpractical.com<mailto:rt-users@lists.bestpractical.com>
Subject: Re: [rt-users] skip the queue selection for unprivileged users

Hi,

Unprivileged users still can be in some groups. Use SELECT * FROM ACL
WHERE RightName  = 'SeeQueue'; This may give you a clue.

On Thu, Oct 6, 2011 at 3:59 PM, Izz Abdullah 
<izz.abdul...@hibbett.com<mailto:izz.abdul...@hibbett.com>> wrote:
> That is what I thought, but I can only 'see' the privileged users in the web 
> UI since we are using LDAP authentication.  So if I go instead to 
> Tools->Configuration->Global->Group Rights, I have already removed the rights 
> for 'Everyone' and 'Unprivileged'.  These two groups have no rights at all at 
> the global level.  The user groups we have defined are limited to privileged 
> users, so this is why I am stumped removing the rights hasn't solved my 
> problem.
>
> -----Original Message-----
> From: ruslan.zaki...@gmail.com<mailto:ruslan.zaki...@gmail.com> 
> [mailto:ruslan.zaki...@gmail.com<mailto:ruslan.zaki...@gmail.com>] On Behalf 
> Of Ruslan Zakirov
> Sent: Thursday, October 06, 2011 8:54 AM
> To: Izz Abdullah
> Cc: rt-users@lists.bestpractical.com<mailto:rt-users@lists.bestpractical.com>
> Subject: Re: [rt-users] skip the queue selection for unprivileged users
>
> Hi,
>
> Then SeeQueue and CreateTicket is granted to too many users.
>
> On Thu, Oct 6, 2011 at 3:44 PM, Izz Abdullah 
> <izz.abdul...@hibbett.com<mailto:izz.abdul...@hibbett.com>> wrote:
>> So I have removed all the rights from a 3.8.4 migrated database into 4.0.2
>> for unprivileged users on all queues except the 'General' queue.  I also
>> have set in the SiteConfig file the DefaultQueue to "General", but
>> unprivileged users still receive a screen for 'Queue selection' when
>> creating a new ticket, AND it allows them to create tickets in queues other
>> than the General queue.
>>
>>
>>
>> I am a bit stumped on this.  If I have removed the permissions, why can
>> unprivileged users still see and create tickets in other queues?
>>
>>
>>
>> We have, for example Queue1, Queue2, Queue3, etc.
>>
>> I don't want them to see or access Queue1 - QueueN, but ONLY the General
>> Queue.
>>
>> --------
>> RT Training Sessions (http://bestpractical.com/services/training.html)
>> *  San Francisco, CA, USA - October 18 & 19, 2011
>> *  Washington DC, USA - October 31 & November 1, 2011
>> *  Barcelona, Spain - November 28 & 29, 2011
>>
>
>
>
> --
> Best regards, Ruslan.
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> *  San Francisco, CA, USA  October 18 & 19, 2011
> *  Washington DC, USA  October 31 & November 1, 2011
> *  Barcelona, Spain  November 28 & 29, 2011



--
Best regards, Ruslan.
--------
RT Training Sessions (http://bestpractical.com/services/training.html)
*  San Francisco, CA, USA  October 18 & 19, 2011
*  Washington DC, USA  October 31 & November 1, 2011
*  Barcelona, Spain  November 28 & 29, 2011


--------
RT Training Sessions (http://bestpractical.com/services/training.html)
*  San Francisco, CA, USA — October 18 & 19, 2011
*  Washington DC, USA — October 31 & November 1, 2011
*  Barcelona, Spain — November 28 & 29, 2011