[rt-users] RT 2.0.13 bug? Anyone can *update* a ticket

Vivek Khera khera at kcilink.com
Thu Jun 27 12:33:08 EDT 2002


>>>>> "SJS" == Steven J Sobol <sjsobol at JustThe.net> writes:

SJS> I have group rights set as follows: Everyone - CreateTicket, Requestor -
SJS> CommentOnTIcket, ReplyToTicket, ShowTicket, Watch.

SJS> I created a ticket via e-mail and then sent and update in from an e-mail
SJS> address that belongs neither to the requestor nor any of the watchers. It
SJS> got posted. Should that be happening? (In my opinion, if you didn't 
SJS> request a ticket and you're not a watcher/adminCC/CC, you shouldn't be
SJS> able to reply to it.)

Then don't give "everyone" the right to reply to a ticket.  Give it
only to the requestor and admins/owners.




More information about the rt-users mailing list