Page MenuHomePhabricator

need to figure out how to make an rt queue read-only
Closed, ResolvedPublic

Description

So that if you try to create a new task it does either the "nope" or a friendly "go here"

Event Timeline

chasemp created this task.Oct 16 2014, 8:23 PM
chasemp assigned this task to Dzahn.
chasemp raised the priority of this task from to Needs Triage.
chasemp updated the task description. (Show Details)
chasemp changed Security from none to None.
chasemp added a subscriber: chasemp.
  1. login as root on RT
  2. Tools -> Configuration -> Queues -> Select
  3. select queue in next screen
  4. on config screen, select "Group Rights"
  5. go through all groups on the left hand side (system, roles, user groups) and click them to see which checkboxes they have in the "General Rights" section
  6. remove all permissions that don't start with "View .."
  7. click "Rights for Staff" and "Rights for Administrators" as well and take away their rights as well, except the "View.." things

this should do the trick

ok, this was unexpected. i tested this with the unused "legal" queue and removed rights, then i tried creating a new ticket in that queue and i still could, even though i shouldn't have had the "create ticket" permission anymore. i most be overlooking something that makes ops members still have this globally.

anyways, after searching some more, i think we should just do this:

"granting rt_user mysql user only SELECT
right for rt3 db for all tables except sessions. "

other people say that's what they did to make an RT readonly globally.. and it's just easier and probably safer to change the mysql grant

..unless you litereally meant it has to be possible per queue and not for all queues at once

mark wants to keep the procurement and access-requests queues behind in RT for a bit, so yeah I guess per-queue if possible...if not possible we will have to get more info

i got it. we were handing out the 'create ticket' permission in the global section to any privileged user.

i removed that. and i believe it shouldn't affect anyone because either users are not "privileged" (those that just mail us) or they are members in another group which gives them this permission on queues.

this made it possible to go "per queue". The "legal" queue just simply doesn't show up for me anymore in the drop-down you get with "create ticket", but i can still read the tickets that exist in there.

https://rt.wikimedia.org/Ticket/Display.html?id=8665

Dzahn closed this task as Resolved.Oct 16 2014, 11:11 PM

also, as a bonus, here is how to check permissions in mysql if you don't wanna rely on finding all the checkboxes in the UI:

[rt]> SELECT Queues.Name AS queue_name,Groups.Name AS group_name,ACL.RightName AS right_name FROM ACL LEFT JOIN Groups ON ACL.PrincipalId = Groups.id JOIN Queues ON ACL.ObjectId = Queues.id WHERE Groups.Name IS NOT NULL and Queues.name="legal" ORDER BY queue_name,group_name,right_name;

gets you stuff like:

+------------+------------+---------------------+

queue_namegroup_nameright_name

+------------+------------+---------------------+

legalLegalSeeCustomField
legalLegalSeeQueue
legalLegalShowOutgoingEmail
legalLegalShowTicket
legalLegalShowTicketComments
legalOperationsSeeCustomField
legalOperationsSeeQueue
legalOperationsShowOutgoingEmail
legalOperationsShowScrips
legalOperationsShowTemplate
legalOperationsShowTicket
legalOperationsShowTicketComments
legalUser 23124CommentOnTicket
legalUser 23124CreateTicket
legalUser 23124ForwardMessage
legalUser 23124ModifyCustomField
legalUser 23124ModifyTicket

... and so on ...