Re: [rt-users] Rights issue on Configuration - Global - RT at a glance on RT 3.8.2
Jo and Kenn, Thank you for your comments about this issue. In the end it was a bug of RT. Fortunately, I created a ticket on http://rt3.fsck.com/ and the people from Best Practical (I think that they were Kevin Falcone and Jesse Vincent) put their hands on it immediately and they have just solved this /*security bug*/. This is part of the message posted by Kevin Falcone: The most important fix is that RT now requires the SuperUser right to edit global RT at a Glance. In all previous 3.8 releases, the ShowConfigTab right unintentionally enabled this. If you have not granted this right to any non-administrative user, then this issue should not affect you. You can read the whole in the message RT 3.8.4 Released written by Kevin. So, you probably should consider either to patch your current installation or to upgrade it. Kenn, Jo, thank you again for your help and comments, and thanks to the people of bestpractical. Best wishes, Carlos Ken Crocker wrote: Carlos, I'm with Jo on this one. We are on 3.6.4 and I have over 100 users and the majority of them do /*NOT*/ have the ShowConfigTab right yet they /*ALL*/ can modify their RT at a Glance settings. Kenn LBNL On 6/5/2009 3:13 AM, Jo Rhett wrote: Are you sure it's the global RT At a Glance? It seems everyone can modify it for themselves... On Jun 5, 2009, at 12:55 AM, Carlos Garcia Montoro wrote: Hi Kenn, hi everybody, Thank you for your answer. I was expecting the same behaviour as you. But for my unpleasant surprise, a user who only has - ShowConfigTab global right for himself. - ShowAprovalsTab global right for Privileged users. And - CreateTicket and SeeQueue in some queues as Everyone's rights in those queues. can do nothing harmful with the single exception of modifying the global RT at a glance. This behaviour has surprised me probably as much as you. Because of it, I want that someone else checks this configuration in order to see whether it is my fault (I am doing something wrong) or it is a RT bug (this happens to everybody, but it shouldn't). Greetings, Carlos PS: I found somewhere a RT installation for testing purposes, but users grants, including root, where so restricted, that I couldn't reproduce the configuration I wanted. Ken Crocker wrote: Carlos, I may be mistaken, butI think the ShowConfigTab merely allows the user to see that tab and the functions under it. The user still needs to have other rights (like ShowTemplate and ModifyTemplate) in order to see/modify templates and I'm sure the same situation exists for other objects to be modified. Kenn LBNL On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote: Sorry for posting this twice, but I'm trying to make it shorter. Please, can anyone confirm me that a user who only has the global right ShowConfigTab is able to modify the global RT at a glance? I'm using RT 3.8.2 and I would like to know if either I'm doing something wrong or this is the expected behaviour. If this were the second case, should this be considered a bug? For a longer explanation, attached you can find my previous message. Thanking you in advance, Carlos Subject: [rt-users] Rights issue on Configuration - Global - RT at a glance on RT 3.8.2 From: Carlos Garcia Montoro cgar...@ific.uv.es Date: Fri, 29 May 2009 12:18:06 +0200 To: rt-users@lists.bestpractical.com To: rt-users@lists.bestpractical.com Hello, I've a question/request about RT that I have been neither able to resolve from myself, nor have I found it at the RT wiki or googling this mailing list. I'm newbie using RT. I'm installing an organizational RT (ver. 3.8.2). We have some departments that are autonomous of each other. Thus, I want to grant some privileges for every admin group of each department. I want to allow them to handle their own queues, groups, etc. But I also want not to allow them to modify others space. I have achieved this configuration, i.e. admins are only able to see their groups, admins can see all queues but they are only allowed to modify some properties (Cc, AdminCc,...) of their own queues but not other queues. In order to do that I have granted them the global right ShowConfigTab. Otherwise they had rights but they couldn't use them (they couldn't modify group membership of their groups,...). The problem I'm suffering is this: When I grant the ShowConfigTab right to a user or group, I'm also granting privileges to modify the global RT at a glance. Let me show an example: Let me create a user foo who can be granted rights (Let this user be granted rights is checked). This new user isn't a member of any group, so he has no right rather than Everyone and Privileged. At this moment, global rights for these groups are the default (no global right for Everyone, and only ShowApprovalsTab for Privileged). In some queues Everyone has two rights CreateTicket and SeeQueue,
Re: [rt-users] Rights issue on Configuration - Global - RT at a glance on RT 3.8.2
PS: It seems to me that Shawn Moore also worked on fixing it. Carlos Carlos Garcia Montoro wrote: Jo and Kenn, Thank you for your comments about this issue. In the end it was a bug of RT. Fortunately, I created a ticket on http://rt3.fsck.com/ and the people from Best Practical (I think that they were Kevin Falcone and Jesse Vincent) put their hands on it immediately and they have just solved this /*security bug*/. This is part of the message posted by Kevin Falcone: The most important fix is that RT now requires the SuperUser right to edit global RT at a Glance. In all previous 3.8 releases, the ShowConfigTab right unintentionally enabled this. If you have not granted this right to any non-administrative user, then this issue should not affect you. You can read the whole in the message RT 3.8.4 Released written by Kevin. So, you probably should consider either to patch your current installation or to upgrade it. Kenn, Jo, thank you again for your help and comments, and thanks to the people of bestpractical. Best wishes, Carlos Ken Crocker wrote: Carlos, I'm with Jo on this one. We are on 3.6.4 and I have over 100 users and the majority of them do /*NOT*/ have the ShowConfigTab right yet they /*ALL*/ can modify their RT at a Glance settings. Kenn LBNL On 6/5/2009 3:13 AM, Jo Rhett wrote: Are you sure it's the global RT At a Glance? It seems everyone can modify it for themselves... On Jun 5, 2009, at 12:55 AM, Carlos Garcia Montoro wrote: Hi Kenn, hi everybody, Thank you for your answer. I was expecting the same behaviour as you. But for my unpleasant surprise, a user who only has - ShowConfigTab global right for himself. - ShowAprovalsTab global right for Privileged users. And - CreateTicket and SeeQueue in some queues as Everyone's rights in those queues. can do nothing harmful with the single exception of modifying the global RT at a glance. This behaviour has surprised me probably as much as you. Because of it, I want that someone else checks this configuration in order to see whether it is my fault (I am doing something wrong) or it is a RT bug (this happens to everybody, but it shouldn't). Greetings, Carlos PS: I found somewhere a RT installation for testing purposes, but users grants, including root, where so restricted, that I couldn't reproduce the configuration I wanted. Ken Crocker wrote: Carlos, I may be mistaken, butI think the ShowConfigTab merely allows the user to see that tab and the functions under it. The user still needs to have other rights (like ShowTemplate and ModifyTemplate) in order to see/modify templates and I'm sure the same situation exists for other objects to be modified. Kenn LBNL On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote: Sorry for posting this twice, but I'm trying to make it shorter. Please, can anyone confirm me that a user who only has the global right ShowConfigTab is able to modify the global RT at a glance? I'm using RT 3.8.2 and I would like to know if either I'm doing something wrong or this is the expected behaviour. If this were the second case, should this be considered a bug? For a longer explanation, attached you can find my previous message. Thanking you in advance, Carlos Subject: [rt-users] Rights issue on Configuration - Global - RT at a glance on RT 3.8.2 From: Carlos Garcia Montoro cgar...@ific.uv.es Date: Fri, 29 May 2009 12:18:06 +0200 To: rt-users@lists.bestpractical.com To: rt-users@lists.bestpractical.com Hello, I've a question/request about RT that I have been neither able to resolve from myself, nor have I found it at the RT wiki or googling this mailing list. I'm newbie using RT. I'm installing an organizational RT (ver. 3.8.2). We have some departments that are autonomous of each other. Thus, I want to grant some privileges for every admin group of each department. I want to allow them to handle their own queues, groups, etc. But I also want not to allow them to modify others space. I have achieved this configuration, i.e. admins are only able to see their groups, admins can see all queues but they are only allowed to modify some properties (Cc, AdminCc,...) of their own queues but not other queues. In order to do that I have granted them the global right ShowConfigTab. Otherwise they had rights but they couldn't use them (they couldn't modify group membership of their groups,...). The problem I'm suffering is this: When I grant the ShowConfigTab right to a user or group, I'm also granting privileges to modify the global RT at a glance. Let me show an example: Let me create a user foo who can be granted rights (Let this user be granted rights is checked). This new user isn't a member of any group, so he has no right rather than Everyone and Privileged. At this moment, global rights for these groups are the default (no global right for Everyone, and
Re: [rt-users] Rights issue on Configuration - Global - RT at a glance on RT 3.8.2
I wanted to grant ShowConfigTab only for a few users who are group directors at my institution, but I don't want that doing so, they can modify the /*GLOBAL*/ RT at a glance, as they can do, if they have this single right. Jo, I'm sure that it is the global RT at a glance, because I'm following these steps: Configuration - Global - RT at a glance and because if any user who has the ShowConfigTab changes something there, you logout and log in as another user, the RT at a glance of the second user has changed. Kenn, the problem is not htat they can change their own RT at a glance. The problem is that they can change the global RT at a glance... Perhaps I'm missing something, but at the moment, I don't know what it is. Thank you again, Carlos Ken Crocker wrote: Carlos, I'm with Jo on this one. We are on 3.6.4 and I have over 100 users and the majority of them do /*NOT*/ have the ShowConfigTab right yet they /*ALL*/ can modify their RT at a Glance settings. Kenn LBNL On 6/5/2009 3:13 AM, Jo Rhett wrote: Are you sure it's the global RT At a Glance? It seems everyone can modify it for themselves... On Jun 5, 2009, at 12:55 AM, Carlos Garcia Montoro wrote: Hi Kenn, hi everybody, Thank you for your answer. I was expecting the same behaviour as you. But for my unpleasant surprise, a user who only has - ShowConfigTab global right for himself. - ShowAprovalsTab global right for Privileged users. And - CreateTicket and SeeQueue in some queues as Everyone's rights in those queues. can do nothing harmful with the single exception of modifying the global RT at a glance. This behaviour has surprised me probably as much as you. Because of it, I want that someone else checks this configuration in order to see whether it is my fault (I am doing something wrong) or it is a RT bug (this happens to everybody, but it shouldn't). Greetings, Carlos PS: I found somewhere a RT installation for testing purposes, but users grants, including root, where so restricted, that I couldn't reproduce the configuration I wanted. Ken Crocker wrote: Carlos, I may be mistaken, butI think the ShowConfigTab merely allows the user to see that tab and the functions under it. The user still needs to have other rights (like ShowTemplate and ModifyTemplate) in order to see/modify templates and I'm sure the same situation exists for other objects to be modified. Kenn LBNL On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote: Sorry for posting this twice, but I'm trying to make it shorter. Please, can anyone confirm me that a user who only has the global right ShowConfigTab is able to modify the global RT at a glance? I'm using RT 3.8.2 and I would like to know if either I'm doing something wrong or this is the expected behaviour. If this were the second case, should this be considered a bug? For a longer explanation, attached you can find my previous message. Thanking you in advance, Carlos Subject: [rt-users] Rights issue on Configuration - Global - RT at a glance on RT 3.8.2 From: Carlos Garcia Montoro cgar...@ific.uv.es Date: Fri, 29 May 2009 12:18:06 +0200 To: rt-users@lists.bestpractical.com To: rt-users@lists.bestpractical.com Hello, I've a question/request about RT that I have been neither able to resolve from myself, nor have I found it at the RT wiki or googling this mailing list. I'm newbie using RT. I'm installing an organizational RT (ver. 3.8.2). We have some departments that are autonomous of each other. Thus, I want to grant some privileges for every admin group of each department. I want to allow them to handle their own queues, groups, etc. But I also want not to allow them to modify others space. I have achieved this configuration, i.e. admins are only able to see their groups, admins can see all queues but they are only allowed to modify some properties (Cc, AdminCc,...) of their own queues but not other queues. In order to do that I have granted them the global right ShowConfigTab. Otherwise they had rights but they couldn't use them (they couldn't modify group membership of their groups,...). The problem I'm suffering is this: When I grant the ShowConfigTab right to a user or group, I'm also granting privileges to modify the global RT at a glance. Let me show an example: Let me create a user foo who can be granted rights (Let this user be granted rights is checked). This new user isn't a member of any group, so he has no right rather than Everyone and Privileged. At this moment, global rights for these groups are the default (no global right for Everyone, and only ShowApprovalsTab for Privileged). In some queues Everyone has two rights CreateTicket and SeeQueue, but as far as I know they only grant privileges for creating a new ticket in these queues. Let this user be granted the global ShowConfigTab right ( Configuration - Global - User Rights, and
Re: [rt-users] Rights issue on Configuration - Global - RT at a glance on RT 3.8.2
Hi Kenn, hi everybody, Thank you for your answer. I was expecting the same behaviour as you. But for my unpleasant surprise, a user who only has - ShowConfigTab global right for himself. - ShowAprovalsTab global right for Privileged users. And - CreateTicket and SeeQueue in some queues as Everyone's rights in those queues. can do nothing harmful with the single exception of modifying the global RT at a glance. This behaviour has surprised me probably as much as you. Because of it, I want that someone else checks this configuration in order to see whether it is my fault (I am doing something wrong) or it is a RT bug (this happens to everybody, but it shouldn't). Greetings, Carlos PS: I found somewhere a RT installation for testing purposes, but users grants, including root, where so restricted, that I couldn't reproduce the configuration I wanted. Ken Crocker wrote: Carlos, I may be mistaken, butI think the ShowConfigTab merely allows the user to see that tab and the functions under it. The user still needs to have other rights (like ShowTemplate and ModifyTemplate) in order to see/modify templates and I'm sure the same situation exists for other objects to be modified. Kenn LBNL On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote: Sorry for posting this twice, but I'm trying to make it shorter. Please, can anyone confirm me that a user who only has the global right ShowConfigTab is able to modify the global RT at a glance? I'm using RT 3.8.2 and I would like to know if either I'm doing something wrong or this is the expected behaviour. If this were the second case, should this be considered a bug? For a longer explanation, attached you can find my previous message. Thanking you in advance, Carlos Subject: [rt-users] Rights issue on Configuration - Global - RT at a glance on RT 3.8.2 From: Carlos Garcia Montoro cgar...@ific.uv.es Date: Fri, 29 May 2009 12:18:06 +0200 To: rt-users@lists.bestpractical.com To: rt-users@lists.bestpractical.com Hello, I've a question/request about RT that I have been neither able to resolve from myself, nor have I found it at the RT wiki or googling this mailing list. I'm newbie using RT. I'm installing an organizational RT (ver. 3.8.2). We have some departments that are autonomous of each other. Thus, I want to grant some privileges for every admin group of each department. I want to allow them to handle their own queues, groups, etc. But I also want not to allow them to modify others space. I have achieved this configuration, i.e. admins are only able to see their groups, admins can see all queues but they are only allowed to modify some properties (Cc, AdminCc,...) of their own queues but not other queues. In order to do that I have granted them the global right ShowConfigTab. Otherwise they had rights but they couldn't use them (they couldn't modify group membership of their groups,...). The problem I'm suffering is this: When I grant the ShowConfigTab right to a user or group, I'm also granting privileges to modify the global RT at a glance. Let me show an example: Let me create a user foo who can be granted rights (Let this user be granted rights is checked). This new user isn't a member of any group, so he has no right rather than Everyone and Privileged. At this moment, global rights for these groups are the default (no global right for Everyone, and only ShowApprovalsTab for Privileged). In some queues Everyone has two rights CreateTicket and SeeQueue, but as far as I know they only grant privileges for creating a new ticket in these queues. Let this user be granted the global ShowConfigTab right ( Configuration - Global - User Rights, and there foo is granted to ShowConfigTab). Now let foo log in. This user can see the configuration tab, but he can't modify anything since he is not allowed to. If he tries to modify anything RT won't allow it and foo will read a permission denied message. But if foo goes to Configuration - Global - RT at a glance and there he deletes QuickCreate, RT allows it saying Global portlet body saved.. Now let the privileged user bar log in. The RT at a glance of bar has no longer the QuickCreate frame when it previously had it. Hence, I don't want to grant foo the right of modifying the global RT at a glance! Is it the expected behaviour? Am I missing anything or doing something wrong? Thank you, Carlos ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com
Re: [rt-users] Rights issue on Configuration - Global - RT at a glance on RT 3.8.2
Are you sure it's the global RT At a Glance? It seems everyone can modify it for themselves... On Jun 5, 2009, at 12:55 AM, Carlos Garcia Montoro wrote: Hi Kenn, hi everybody, Thank you for your answer. I was expecting the same behaviour as you. But for my unpleasant surprise, a user who only has - ShowConfigTab global right for himself. - ShowAprovalsTab global right for Privileged users. And - CreateTicket and SeeQueue in some queues as Everyone's rights in those queues. can do nothing harmful with the single exception of modifying the global RT at a glance. This behaviour has surprised me probably as much as you. Because of it, I want that someone else checks this configuration in order to see whether it is my fault (I am doing something wrong) or it is a RT bug (this happens to everybody, but it shouldn't). Greetings, Carlos PS: I found somewhere a RT installation for testing purposes, but users grants, including root, where so restricted, that I couldn't reproduce the configuration I wanted. Ken Crocker wrote: Carlos, I may be mistaken, butI think the ShowConfigTab merely allows the user to see that tab and the functions under it. The user still needs to have other rights (like ShowTemplate and ModifyTemplate) in order to see/modify templates and I'm sure the same situation exists for other objects to be modified. Kenn LBNL On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote: Sorry for posting this twice, but I'm trying to make it shorter. Please, can anyone confirm me that a user who only has the global right ShowConfigTab is able to modify the global RT at a glance? I'm using RT 3.8.2 and I would like to know if either I'm doing something wrong or this is the expected behaviour. If this were the second case, should this be considered a bug? For a longer explanation, attached you can find my previous message. Thanking you in advance, Carlos Subject: [rt-users] Rights issue on Configuration - Global - RT at a glance on RT 3.8.2 From: Carlos Garcia Montoro cgar...@ific.uv.es Date: Fri, 29 May 2009 12:18:06 +0200 To: rt-users@lists.bestpractical.com To: rt-users@lists.bestpractical.com Hello, I've a question/request about RT that I have been neither able to resolve from myself, nor have I found it at the RT wiki or googling this mailing list. I'm newbie using RT. I'm installing an organizational RT (ver. 3.8.2). We have some departments that are autonomous of each other. Thus, I want to grant some privileges for every admin group of each department. I want to allow them to handle their own queues, groups, etc. But I also want not to allow them to modify others space. I have achieved this configuration, i.e. admins are only able to see their groups, admins can see all queues but they are only allowed to modify some properties (Cc, AdminCc,...) of their own queues but not other queues. In order to do that I have granted them the global right ShowConfigTab. Otherwise they had rights but they couldn't use them (they couldn't modify group membership of their groups,...). The problem I'm suffering is this: When I grant the ShowConfigTab right to a user or group, I'm also granting privileges to modify the global RT at a glance. Let me show an example: Let me create a user foo who can be granted rights (Let this user be granted rights is checked). This new user isn't a member of any group, so he has no right rather than Everyone and Privileged. At this moment, global rights for these groups are the default (no global right for Everyone, and only ShowApprovalsTab for Privileged). In some queues Everyone has two rights CreateTicket and SeeQueue, but as far as I know they only grant privileges for creating a new ticket in these queues. Let this user be granted the global ShowConfigTab right ( Configuration - Global - User Rights, and there foo is granted to ShowConfigTab). Now let foo log in. This user can see the configuration tab, but he can't modify anything since he is not allowed to. If he tries to modify anything RT won't allow it and foo will read a permission denied message. But if foo goes to Configuration - Global - RT at a glance and there he deletes QuickCreate, RT allows it saying Global portlet body saved.. Now let the privileged user bar log in. The RT at a glance of bar has no longer the QuickCreate frame when it previously had it. Hence, I don't want to grant foo the right of modifying the global RT at a glance! Is it the expected behaviour? Am I missing anything or doing something wrong? Thank you, Carlos ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support:
Re: [rt-users] Rights issue on Configuration - Global - RT at a glance on RT 3.8.2
Yes. Everyone who is allowed to ShowConfigTab can modify the global RT at a glance, modifying other's homepage. I find it ugly... Carlos Jo Rhett wrote: Are you sure it's the global RT At a Glance? It seems everyone can modify it for themselves... On Jun 5, 2009, at 12:55 AM, Carlos Garcia Montoro wrote: Hi Kenn, hi everybody, Thank you for your answer. I was expecting the same behaviour as you. But for my unpleasant surprise, a user who only has - ShowConfigTab global right for himself. - ShowAprovalsTab global right for Privileged users. And - CreateTicket and SeeQueue in some queues as Everyone's rights in those queues. can do nothing harmful with the single exception of modifying the global RT at a glance. This behaviour has surprised me probably as much as you. Because of it, I want that someone else checks this configuration in order to see whether it is my fault (I am doing something wrong) or it is a RT bug (this happens to everybody, but it shouldn't). Greetings, Carlos PS: I found somewhere a RT installation for testing purposes, but users grants, including root, where so restricted, that I couldn't reproduce the configuration I wanted. Ken Crocker wrote: Carlos, I may be mistaken, butI think the ShowConfigTab merely allows the user to see that tab and the functions under it. The user still needs to have other rights (like ShowTemplate and ModifyTemplate) in order to see/modify templates and I'm sure the same situation exists for other objects to be modified. Kenn LBNL On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote: Sorry for posting this twice, but I'm trying to make it shorter. Please, can anyone confirm me that a user who only has the global right ShowConfigTab is able to modify the global RT at a glance? I'm using RT 3.8.2 and I would like to know if either I'm doing something wrong or this is the expected behaviour. If this were the second case, should this be considered a bug? For a longer explanation, attached you can find my previous message. Thanking you in advance, Carlos Subject: [rt-users] Rights issue on Configuration - Global - RT at a glance on RT 3.8.2 From: Carlos Garcia Montoro cgar...@ific.uv.es Date: Fri, 29 May 2009 12:18:06 +0200 To: rt-users@lists.bestpractical.com To: rt-users@lists.bestpractical.com Hello, I've a question/request about RT that I have been neither able to resolve from myself, nor have I found it at the RT wiki or googling this mailing list. I'm newbie using RT. I'm installing an organizational RT (ver. 3.8.2). We have some departments that are autonomous of each other. Thus, I want to grant some privileges for every admin group of each department. I want to allow them to handle their own queues, groups, etc. But I also want not to allow them to modify others space. I have achieved this configuration, i.e. admins are only able to see their groups, admins can see all queues but they are only allowed to modify some properties (Cc, AdminCc,...) of their own queues but not other queues. In order to do that I have granted them the global right ShowConfigTab. Otherwise they had rights but they couldn't use them (they couldn't modify group membership of their groups,...). The problem I'm suffering is this: When I grant the ShowConfigTab right to a user or group, I'm also granting privileges to modify the global RT at a glance. Let me show an example: Let me create a user foo who can be granted rights (Let this user be granted rights is checked). This new user isn't a member of any group, so he has no right rather than Everyone and Privileged. At this moment, global rights for these groups are the default (no global right for Everyone, and only ShowApprovalsTab for Privileged). In some queues Everyone has two rights CreateTicket and SeeQueue, but as far as I know they only grant privileges for creating a new ticket in these queues. Let this user be granted the global ShowConfigTab right ( Configuration - Global - User Rights, and there foo is granted to ShowConfigTab). Now let foo log in. This user can see the configuration tab, but he can't modify anything since he is not allowed to. If he tries to modify anything RT won't allow it and foo will read a permission denied message. But if foo goes to Configuration - Global - RT at a glance and there he deletes QuickCreate, RT allows it saying Global portlet body saved.. Now let the privileged user bar log in. The RT at a glance of bar has no longer the QuickCreate frame when it previously had it. Hence, I don't want to grant foo the right of modifying the global RT at a glance! Is it the expected behaviour? Am I missing anything or doing something wrong? Thank you, Carlos ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial
Re: [rt-users] Rights issue on Configuration - Global - RT at a glance on RT 3.8.2
Carlos, I'm with Jo on this one. We are on 3.6.4 and I have over 100 users and the majority of them do /*NOT*/ have the ShowConfigTab right yet they /*ALL*/ can modify their RT at a Glance settings. Kenn LBNL On 6/5/2009 3:13 AM, Jo Rhett wrote: Are you sure it's the global RT At a Glance? It seems everyone can modify it for themselves... On Jun 5, 2009, at 12:55 AM, Carlos Garcia Montoro wrote: Hi Kenn, hi everybody, Thank you for your answer. I was expecting the same behaviour as you. But for my unpleasant surprise, a user who only has - ShowConfigTab global right for himself. - ShowAprovalsTab global right for Privileged users. And - CreateTicket and SeeQueue in some queues as Everyone's rights in those queues. can do nothing harmful with the single exception of modifying the global RT at a glance. This behaviour has surprised me probably as much as you. Because of it, I want that someone else checks this configuration in order to see whether it is my fault (I am doing something wrong) or it is a RT bug (this happens to everybody, but it shouldn't). Greetings, Carlos PS: I found somewhere a RT installation for testing purposes, but users grants, including root, where so restricted, that I couldn't reproduce the configuration I wanted. Ken Crocker wrote: Carlos, I may be mistaken, butI think the ShowConfigTab merely allows the user to see that tab and the functions under it. The user still needs to have other rights (like ShowTemplate and ModifyTemplate) in order to see/modify templates and I'm sure the same situation exists for other objects to be modified. Kenn LBNL On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote: Sorry for posting this twice, but I'm trying to make it shorter. Please, can anyone confirm me that a user who only has the global right ShowConfigTab is able to modify the global RT at a glance? I'm using RT 3.8.2 and I would like to know if either I'm doing something wrong or this is the expected behaviour. If this were the second case, should this be considered a bug? For a longer explanation, attached you can find my previous message. Thanking you in advance, Carlos Subject: [rt-users] Rights issue on Configuration - Global - RT at a glance on RT 3.8.2 From: Carlos Garcia Montoro cgar...@ific.uv.es Date: Fri, 29 May 2009 12:18:06 +0200 To: rt-users@lists.bestpractical.com To: rt-users@lists.bestpractical.com Hello, I've a question/request about RT that I have been neither able to resolve from myself, nor have I found it at the RT wiki or googling this mailing list. I'm newbie using RT. I'm installing an organizational RT (ver. 3.8.2). We have some departments that are autonomous of each other. Thus, I want to grant some privileges for every admin group of each department. I want to allow them to handle their own queues, groups, etc. But I also want not to allow them to modify others space. I have achieved this configuration, i.e. admins are only able to see their groups, admins can see all queues but they are only allowed to modify some properties (Cc, AdminCc,...) of their own queues but not other queues. In order to do that I have granted them the global right ShowConfigTab. Otherwise they had rights but they couldn't use them (they couldn't modify group membership of their groups,...). The problem I'm suffering is this: When I grant the ShowConfigTab right to a user or group, I'm also granting privileges to modify the global RT at a glance. Let me show an example: Let me create a user foo who can be granted rights (Let this user be granted rights is checked). This new user isn't a member of any group, so he has no right rather than Everyone and Privileged. At this moment, global rights for these groups are the default (no global right for Everyone, and only ShowApprovalsTab for Privileged). In some queues Everyone has two rights CreateTicket and SeeQueue, but as far as I know they only grant privileges for creating a new ticket in these queues. Let this user be granted the global ShowConfigTab right ( Configuration - Global - User Rights, and there foo is granted to ShowConfigTab). Now let foo log in. This user can see the configuration tab, but he can't modify anything since he is not allowed to. If he tries to modify anything RT won't allow it and foo will read a permission denied message. But if foo goes to Configuration - Global - RT at a glance and there he deletes QuickCreate, RT allows it saying Global portlet body saved.. Now let the privileged user bar log in. The RT at a glance of bar has no longer the QuickCreate frame when it previously had it. Hence, I don't want to grant foo the right of modifying the global RT at a glance! Is it the expected behaviour? Am I missing anything or doing something wrong? Thank you, Carlos ___
Re: [rt-users] Rights issue on Configuration - Global - RT at a glance on RT 3.8.2
Carlos, I may be mistaken, butI think the ShowConfigTab merely allows the user to see that tab and the functions under it. The user still needs to have other rights (like ShowTemplate and ModifyTemplate) in order to see/modify templates and I'm sure the same situation exists for other objects to be modified. Kenn LBNL On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote: Sorry for posting this twice, but I'm trying to make it shorter. Please, can anyone confirm me that a user who only has the global right ShowConfigTab is able to modify the global RT at a glance? I'm using RT 3.8.2 and I would like to know if either I'm doing something wrong or this is the expected behaviour. If this were the second case, should this be considered a bug? For a longer explanation, attached you can find my previous message. Thanking you in advance, Carlos Subject: [rt-users] Rights issue on Configuration - Global - RT at a glance on RT 3.8.2 From: Carlos Garcia Montoro cgar...@ific.uv.es Date: Fri, 29 May 2009 12:18:06 +0200 To: rt-users@lists.bestpractical.com To: rt-users@lists.bestpractical.com Hello, I've a question/request about RT that I have been neither able to resolve from myself, nor have I found it at the RT wiki or googling this mailing list. I'm newbie using RT. I'm installing an organizational RT (ver. 3.8.2). We have some departments that are autonomous of each other. Thus, I want to grant some privileges for every admin group of each department. I want to allow them to handle their own queues, groups, etc. But I also want not to allow them to modify others space. I have achieved this configuration, i.e. admins are only able to see their groups, admins can see all queues but they are only allowed to modify some properties (Cc, AdminCc,...) of their own queues but not other queues. In order to do that I have granted them the global right ShowConfigTab. Otherwise they had rights but they couldn't use them (they couldn't modify group membership of their groups,...). The problem I'm suffering is this: When I grant the ShowConfigTab right to a user or group, I'm also granting privileges to modify the global RT at a glance. Let me show an example: Let me create a user foo who can be granted rights (Let this user be granted rights is checked). This new user isn't a member of any group, so he has no right rather than Everyone and Privileged. At this moment, global rights for these groups are the default (no global right for Everyone, and only ShowApprovalsTab for Privileged). In some queues Everyone has two rights CreateTicket and SeeQueue, but as far as I know they only grant privileges for creating a new ticket in these queues. Let this user be granted the global ShowConfigTab right ( Configuration - Global - User Rights, and there foo is granted to ShowConfigTab). Now let foo log in. This user can see the configuration tab, but he can't modify anything since he is not allowed to. If he tries to modify anything RT won't allow it and foo will read a permission denied message. But if foo goes to Configuration - Global - RT at a glance and there he deletes QuickCreate, RT allows it saying Global portlet body saved.. Now let the privileged user bar log in. The RT at a glance of bar has no longer the QuickCreate frame when it previously had it. Hence, I don't want to grant foo the right of modifying the global RT at a glance! Is it the expected behaviour? Am I missing anything or doing something wrong? Thank you, Carlos ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
