On 12 Mar 2015, at 18:41, Michael Jablonski wrote:
Hello everyone,
I currently have RT 4.2.9 installed. I have the ability for our
customers to log in and view their open and resolved tickets. This all
works great and they can comment, reply and change the status on their
tickets. However my issue is this: in the URL
"domain.tld/SelfService/Display.html?id= 1503120001 ". After the id=
it displays the ticket number.
If I am a cleaver user I can easily understand the ticketing number
and change it to 1503110001 and see the ticket that belongs to someone
else, and they have the ability to comment, reply etc.
I am looking for a way to either
1) Not have the ticket number displayed in the URL
Entirely infeasible, also not a solution, since it only slightly raises
the cleverness bar. RT depends on having unique URLs for tickets.
2) Not have the ability to view other tickets that do not belong to
the user logged in
That's what you get with the default Rights configuration. You may have
assigned overly-permissive Rights to the System groups "Everyone"
and/or "Unprivileged." On the Admin/Global/GroupRights.html page,
uncheck 'View ticket summaries' (ShowTicket) for those groups.
Unprivileged users should only get a ShowTicket Right by way of having a
Requestor or Cc role. You should also confirm that those roles DO have
it granted.
