[rt-devel] links to tickets without ShowTicket right displays owner
Christian Loos
cloos at netcologne.de
Wed Feb 5 06:13:30 EST 2014
Hi,
if you have ticket 1 which is linked to ticket 2 and the user doesn't
have rights for ticket 2 the link is:
1: [] (owner ticket 2)
The ticket 2 subject and status isn't displayed because the rights check
but the ticket 2 owner is displayed without any rights check.
Also, if ticket 2 status is closed the class of the span element of the
link isn't set to 'ticket-inactive' because the ticket 2 status value
isn't accessible for the user.
As a fix I would suggest adding an CurrentUserHasRight('ShowTicket')
check here:
https://github.com/bestpractical/rt/blob/stable/share/html/Elements/ShowLink#L49
With this, the link would fall back to $URI->AsString which shows only
the ticket id (the subject isn't shown in this case).
If this fix would be accepted, I have already an pull request open on
this file and maybe I can add an commit with this change to the PR:
https://github.com/bestpractical/rt/pull/85
or should I create a new PR?
Chris
More information about the rt-devel
mailing list