[rt-users] RT 2.0.13 bug? Anyone can *update* a ticket
Vivek Khera
khera at kcilink.com
Thu Jun 27 12:33:08 EDT 2002
>>>>> "SJS" == Steven J Sobol <sjsobol at JustThe.net> writes:
SJS> I have group rights set as follows: Everyone - CreateTicket, Requestor -
SJS> CommentOnTIcket, ReplyToTicket, ShowTicket, Watch.
SJS> I created a ticket via e-mail and then sent and update in from an e-mail
SJS> address that belongs neither to the requestor nor any of the watchers. It
SJS> got posted. Should that be happening? (In my opinion, if you didn't
SJS> request a ticket and you're not a watcher/adminCC/CC, you shouldn't be
SJS> able to reply to it.)
Then don't give "everyone" the right to reply to a ticket. Give it
only to the requestor and admins/owners.
More information about the rt-users
mailing list