[rt-devel] ModifyTicket versus CommentOnTicket

Kevin Falcone falcone at bestpractical.com
Thu Jul 24 10:27:05 EDT 2014


On Fri, Jul 18, 2014 at 04:51:02PM +0200, Joop wrote:
> Had a bit of a discussion with a colleague who has been auditing our RT
> install about the mentioned subject. He found a user which could see and
> commont on tickets without having CommentOnTicket but having
> ModifyTicket to which I replied that he shouldn't be able to. Reading
> the wiki led to the same answer. ModifyTicket also implies CommentOnTicket.
> Still nog completely sure I went through the code and yes its in there
> so he's right.

Yep.  This has been this way a long long time.  One thing that escaped
this, ForwardTicket isn't implied by Modify.  Additionally, in 4.0 and
greater you can protect status transitions using lifecycle rights.

> BUT I found a bug I think.
> /lib/RT/Interface/Email/Auth/MailFrom.pm line 186 (version 4.2.2) check
> for CommentOnTicket when the Action is comment but it doesn't check for
> ModifyTicket while in /lib/RT/Ticket.pm line 1446 it does check on both
> rights when checking for a comment.

This has been this way a *long* time and I doubt we're going to change
it.  In fact, the change we'd rather make is to move *away* from
ModifyTicket implying ReplyToTicket and CommentOnTicket.

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 235 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-devel/attachments/20140724/6ccaff20/attachment.pgp>


More information about the rt-devel mailing list