Skip Menu |

This queue is for tickets about the RT-Extension-MobileUI CPAN distribution.

Report information
The Basics
Id: 71453
Status: rejected
Priority: 0/
Queue: RT-Extension-MobileUI
People
Owner: Nobody in particular
Requestors: antoine.davous [...] aviler.net
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Oct 04 16:46:46 2011 antoine.davous [...] aviler.net - Ticket created
Subject: Queue rights on RT mobile access
Date: Tue, 4 Oct 2011 22:46:18 +0200
To: <bug-RT-Extension-MobileUI [...] rt.cpan.org>
From: "Antoine Davous" <antoine.davous [...] aviler.net>
Hi, I am a small company using since few time RT 4.0.2 over CentOS. Everything fine - I created a group for each of my customers and an associated queue, with proper rights, so people from one of my customers can't access tickets from another. However, there is some risk for me, because no customer would accept to show this information to another company. Until . I discovered mobile access and it amazing UI. Until, I discovered that, behavior regarding rights is very different : anyone form any group (even Unpriviledged users) can access to any queue for read at least ! Unacceptable obviously ! You should put a warning about this ! I have to find a way to disable access from mobile soon, before one of my customers have the idea to use his iPhone. How did I managed rights : Groups CustomerA, CustomerB, . Queues CustomerA, CustomerB, . Adding users to relevant groups. For queue CustomerA, I added group CustomerA rights : CreateTicket, ViewQueue, ModifyTicket. And B the same. That's all and it's working like a charm from user perspective : each user can access tickets only from the queue of the company he belongs to - except if you think there is holes in this concept ? Regards Antoine Davous
  Wed Oct 05 13:26:59 2011 trs [...] bestpractical.com - Correspondence added
Subject: Re: [rt.cpan.org #71453] Queue rights on RT mobile access
Date: Wed, 05 Oct 2011 13:26:57 -0400
To: bug-RT-Extension-MobileUI [...] rt.cpan.org
From: Thomas Sibley <trs [...] bestpractical.com>
On 10/04/2011 04:46 PM, Antoine Davous via RT wrote: Show quoted text
> Until . I discovered mobile access and it amazing UI. Until, I discovered > that, behavior regarding rights is very different : anyone form any group > (even Unpriviledged users) can access to any queue for read at least ! > Unacceptable obviously ! > > You should put a warning about this ! I have to find a way to disable access > from mobile soon, before one of my customers have the idea to use his > iPhone.
This is almost certainly a case of rights granted too widely in your RT system. We are unable to replicate that the mobile UI allows access to tickets or queues regardless of rights. Show quoted text
> How did I managed rights : > Groups CustomerA, CustomerB, . > Queues CustomerA, CustomerB, . > > Adding users to relevant groups. > > For queue CustomerA, I added group CustomerA rights : CreateTicket, > ViewQueue, ModifyTicket. > And B the same. That's all and it's working like a charm from user > perspective : each user can access tickets only from the queue of the > company he belongs to - except if you think there is holes in this concept ?
You probably granted ShowTicket or SeeQueue or other rights far too widely to internal groups on a global or queue level. Thomas
  Wed Oct 05 13:27:00 2011 The RT System itself - Status changed from 'new' to 'open'
  Wed Oct 05 13:29:45 2011 tsibley [...] cpan.org - Status changed from 'open' to 'rejected'