[rt-users] Merging into tickets you can't update
Stephen Turner
sturner at MIT.EDU
Fri Aug 25 16:37:26 EDT 2006
One of our users recently mistakenly merged a ticket into a ticket
that she didn't have modify rights to. She could no longer even see
the merged ticket. In trying to track down why this would happen, I
found this code in Ticket_Overlay.pm (MergeInto method):
my $MergeInto = RT::Ticket->new($RT::SystemUser);
$MergeInto->Load($ticket_id);
# Make sure the current user can modify the new ticket.
unless ( $MergeInto->CurrentUserHasRight('ModifyTicket') ) {
return ( 0, $self->loc("Permission Denied") );
}
Now, because the $MergeInto ticket was created with the RT System
User, "CurrentUser" for this object seems to be RT::SystemUser and so
always has ModifyTicket permission.
My question is - am I understanding this whole thing correctly?
Should the MergeInto ticket object be created with $self->CurrentUser
instead of RT::SystemUser?
Thanks,
Steve
More information about the rt-users
mailing list