[rt-users] Merging into tickets you can't update

Stephen Turner sturner at MIT.EDU
Fri Aug 25 16:37:26 EDT 2006


One of our users recently mistakenly merged a ticket into a ticket 
that she didn't have modify rights to. She could no longer even see 
the merged ticket. In trying to track down why this would happen, I 
found this code in Ticket_Overlay.pm (MergeInto method):

  my $MergeInto = RT::Ticket->new($RT::SystemUser);
  $MergeInto->Load($ticket_id);

  # Make sure the current user can modify the new ticket.
unless ( $MergeInto->CurrentUserHasRight('ModifyTicket') ) {
   return ( 0, $self->loc("Permission Denied") );
}

Now, because the $MergeInto ticket was created with the RT System 
User, "CurrentUser" for this object seems to be RT::SystemUser and so 
always has ModifyTicket permission.

My question is - am I understanding this whole thing correctly? 
Should the MergeInto ticket object be created with $self->CurrentUser 
instead of RT::SystemUser?

Thanks,
Steve




More information about the rt-users mailing list