It was reported [1] that GLPI prior to version 0.84.7 had a bug where a user without access to cost information can in fact see the information when selecting cost as a search criteria [2]. This is fixed by commit [3] which appears to have been included for version 0.84.7 [4]. [1]: http://seclists.org/oss-sec/2014/q3/213 [2]: https://forge.indepnet.net/issues/4984 [3]: https://forge.indepnet.net/projects/glpi/repository/revisions/23061 [4]: http://www.glpi-project.org/spip.php?page=annonce&id_breve=326&lang=en
Created glpi tracking bugs for this issue: Affects: fedora-all [bug 1122068] Affects: epel-all [bug 1122069]
EPEL-7 and Fedora >= 20 have glpi 0.84.7 EPEL <= 6 and Fedora 19 have glpi 0.83.9 As the ticketcost is a new right/feature introduced in 0.84 In previous version all user are allowed to see the cost tab. So no bug.
Just for the records a CVE has been assigned to this: http://openwall.com/lists/oss-security/2014/07/22/15 Sorry for the noise - will check shipped versions more carefully next time.