X-Git-Url: http://git.freeside.biz/gitweb/?a=blobdiff_plain;f=rt%2Fetc%2FRT_Config.pm;h=938d5fc13540902ef9adc4dad66d8c4a20486ff7;hb=eaa3f2ea365a7ad41eb687cc7896c4ac1120b5dc;hp=b4ca44c961efceefdb138d315d1091ceb125f810;hpb=5cdba011616de4afd742655a4a0250a26d5d049d;p=freeside.git diff --git a/rt/etc/RT_Config.pm b/rt/etc/RT_Config.pm index b4ca44c96..938d5fc13 100644 --- a/rt/etc/RT_Config.pm +++ b/rt/etc/RT_Config.pm @@ -1261,6 +1261,42 @@ via SSL encrypted HTTP connections. Set($WebSecureCookies, 0); +=item C<$WebHttpOnlyCookies> + +Default RT's session cookie to not being directly accessible to +javascript. The content is still sent during regular and AJAX requests, +and other cookies are unaffected, but the session-id is less +programmatically accessible to javascript. Turning this off should only +be necessary in situations with odd client-side authentication +requirements. + +=cut + +Set($WebHttpOnlyCookies, 1); + +=item C<$RestrictReferrer> + +If set to a false value, the HTTP C (sic) header will not be +checked to ensure that requests come from RT's own domain. As RT allows +for GET requests to alter state, disabling this opens RT up to +cross-site request forgery (CSRF) attacks. + +=cut + +Set($RestrictReferrer, 1); + +=item C<$RestrictLoginReferrer> + +If set to a false value, RT will allow the user to log in from any link +or request, merely by passing in C and C parameters; setting +it to a true value forces all logins to come from the login box, so the +user is aware that they are being logged in. The default is off, for +backwards compatability. + +=cut + +Set($RestrictLoginReferrer, 0); + =item C<$WebFlushDbCacheEveryRequest> By default, RT clears its database cache after every page view. @@ -1423,11 +1459,11 @@ Set ($DefaultSearchResultFormat, qq{ '__Subject__/TITLE:Subject', Customer, Status, - QueueName, + QueueName, OwnerName, Priority, '__NEWLINE__', - '', + '', '__Requestors__', '__CustomerTags__', '__CreatedRelative__', @@ -1582,6 +1618,16 @@ Use this to set the default units for time entry to hours instead of minutes. Set($DefaultTimeUnitsToHours, 0); +=item C<$SimpleSearchIncludeResolved> + +By default, the simple ticket search in the top bar excludes "resolved" tickets +unless a status argument is specified. Set this to a true value to include +them. + +=cut + +Set($SimpleSearchIncludeResolved, 0); + =back =head1 L (rt-server) Configuration @@ -1735,6 +1781,23 @@ Should rejection notes be sent to the requestors? The default is true. Set($ApprovalRejectionNotes, 1); +=item C<@ReferrerWhitelist> + +This is a list of hostname:port combinations that RT will treat as being +part of RT's domain. This is particularly useful if you access RT as +multiple hostnames or have an external auth system that needs to +redirect back to RT once authentication is complete. + + Set(@ReferrerWhitelist, qw(www.example.com:443 www3.example.com:80)); + +If the "RT has detected a possible cross-site request forgery" error is triggered +by a host:port sent by your browser that you believe should be valid, you can copy +the host:port from the error message into this list. + +=cut + +Set(@ReferrerWhitelist, qw()); + =back =head1 Miscellaneous Configuration