1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
use strict;
use warnings;
use RT::Test tests => undef;
my $user = RT::Test->load_or_create_user(
Name => 'user',
EmailAddress => 'user@example.com',
Privileged => 1,
Password => 'password',
);
ok(
RT::Test->set_rights(
{ Principal => 'Everyone', Right => [qw/CreateTicket/] },
{ Principal => 'Requestor', Right => [qw/ShowTicket/] },
),
'set rights'
);
my $secret = "sekrit message";
RT::Test->create_tickets(
{},
{
Subject => 'ticket A',
Requestor => $user->EmailAddress,
Content => "user's ticket",
},
{
Subject => 'ticket B',
Requestor => 'root@localhost',
Content => $secret,
},
);
my $ticket_b = RT::Test->last_ticket;
my ($baseurl, $m) = RT::Test->started_ok;
ok $m->login( 'user', 'password' ), 'logged in as user';
$m->get_ok("$baseurl/Ticket/Display.html?id=" . $ticket_b->id);
$m->content_contains('No permission');
$m->warning_like(qr/no permission/i, 'no permission warning');
RT::Test->clean_caught_mails;
# Ticket Create is just one example of where this is vulnerable
$m->get_ok('/Ticket/Create.html?Queue=1');
$m->submit_form_ok({
form_name => 'TicketCreate',
fields => {
Subject => 'ticket C',
AttachTickets => $ticket_b->id,
},
}, 'create a ticket');
my @mail = RT::Test->fetch_caught_mails;
ok @mail, "got some outgoing emails";
unlike $mail[0], qr/\Q$secret\E/, "doesn't contain ticket user can't see";
undef $m;
done_testing;
|