| Subject: | Should have better ACLs |
No patch for this one yet I'm afraid :)
This lookup potentially leaks information in the RT database and LDAP
directory to privileged users. We would like to extend the ACL checks
that the AJAX interface offers so that only specified users (internal
support staff rather than external collaborators, for example) can use
this functionality.
I can't see an existing ACL that would be appropriate for this; and I'm
not sure whether we can add a new ACL easily (as an extension). I'll
post to rt-devel on this more general topic.