[rt-devel] ModifyTicket versus CommentOnTicket
Joop
jvdwege at xs4all.nl
Fri Jul 18 10:51:02 EDT 2014
Hi all,
Had a bit of a discussion with a colleague who has been auditing our RT
install about the mentioned subject. He found a user which could see and
commont on tickets without having CommentOnTicket but having
ModifyTicket to which I replied that he shouldn't be able to. Reading
the wiki led to the same answer. ModifyTicket also implies CommentOnTicket.
Still nog completely sure I went through the code and yes its in there
so he's right.
BUT I found a bug I think.
/lib/RT/Interface/Email/Auth/MailFrom.pm line 186 (version 4.2.2) check
for CommentOnTicket when the Action is comment but it doesn't check for
ModifyTicket while in /lib/RT/Ticket.pm line 1446 it does check on both
rights when checking for a comment.
Regards,
Joop
More information about the rt-devel
mailing list