Hi All,
I've figured it out, I had been using the RT::User object class where I should
have been using RT::CurrentUser. A little more thought about what I was
implementing also alerted me to the fact that what I am building is a possible
security hole.
I'll repeat that in case anyone has found this on google and plans to use it:
THIS CODE IS A POSSIBLE SECURITY FLAW! THINK LONG AND HARD!
Anyhoo, I'm fairly sure I understand and have addressed the security issues
here, so here's how I sorted this out for myself:
In .../share/html/REST/1.0/search/ticket, changed the first few lines as such:
<%ARGS>
$restrictUser => undef
$query
$format => undef
$orderby => undef
$fields => undef
</%ARGS>
<%INIT>
use RT::Interface::REST;
my $output = "";
my $status = "200 Ok";
my $user = new RT::User;
my $current_user_obj = $session{CurrentUser};
if (lc $current_user_obj->UserObj->Name eq "restuser")
{
$user->Load($restrictUser) if ( defined $restrictUser );
}
$user = $session{CurrentUser} unless ( $user->Id );
my $current_user = RT::CurrentUser->new( $user );
my $tickets = RT::Tickets->new($current_user);
# Parse and validate any field specifications.
...(the rest of the file)
Now, just to point out and make absolutely clear, the possible security flaw
here is that a user can view tickets they do not have the right to see. In this
case I have circumvented this by only making use of $restrictUser when the
logged in user is RestUser. As I am the only one who knows the password for
restUser this functionality will only be accessible in scripts that I have
created and setup to use RestUser.
I'd very much appreciate, if anyone can see any further security holes or other
bugs with what I've done, if you'd let me know.
Regards
Chris O'Kelly
Web Administrator
Minecorp Australia
37 Murdoch Circuit
Acacia Ridge QLD 4110
minecorp.com.au<http://www.minecorp.com.au>
P: 07 3723 1000
M: 0450 586 190
E: [email protected]<mailto:[email protected]>
S: chris.okelly.mvs<http://skype.com>
[http://oi46.tinypic.com/mw8nbd.jpg]
--------
Final RT training for 2012 in Atlanta, GA - October 23 & 24
http://bestpractical.com/training
We're hiring! http://bestpractical.com/jobs
