[rt-users] Let's solve a long-standing bug?
Jeff Blaine
jblaine at kickflop.net
Tue Mar 30 11:42:07 EDT 2010
I've taken this as far as I can. I'm challenging someone
with more RT development experience to find the bug :)
I've been told "That's the way it's always been" and that
a patch was welcome.
PROBLEM:
When modifying 'Basics' (or even specifically 'Custom Fields')
in the web UI, one is presented with a form rightfully only
showing the fields one has perms to *modify*.
When one *submits* that form *with changes*, the resulting
page shows all fields, editable, regardless of the user's
permission to modify.
DEBUGGING:
In Ticket/Elements/EditCustomFields, if you change:
% while ( my $CustomField = $CustomFields->Next ) {
% next unless $CustomField->CurrentUserHasRight('ModifyCustomField');
to this:
% while ( my $CF = $CustomFields->Next ) {
% if (! $CF->CurrentUserHasRight('ModifyCustomField')) {
% $RT::Logger->error($session{'CurrentUser'}->Name . " NO Modify
rights for " . $CF->Name);
% next;
% } else {
% $RT::Logger->error($session{'CurrentUser'}->Name . " YES Modify
rights for " . $CF->Name);
% }
a) The appropriate debug lines are logged when one is viewing
an "initial" Modify.html. There is, in my case, the appro-
priate single custom field noted as modifiable.
b) As a 'result' page, debug lines are logged indicating EVERY
field is modifiable
c) All debug lines in a + b indicate the correct current user
> On Mon 29.Mar'10 at 20:14:17 -0400, Jeff Blaine wrote:
>> Although... I just noticed something kooky when playing with
>> this. I don't know if the list accepts images, so I'll send
>> to you this once.
>>
>> rt-prob1.jpg shows me editing a ticket as a user who has
>> no privs to modify AffectedEmployeeDetails (which does not
>> even show up, as expected).
>>
>> Cool. That's perfect.
>>
>> However, if I add new info to AffectedEmployeeNumbers, which
>> I *do* have modify privs for, the resulting screen (rt-prob2.jpg)
>> gives me a seemingly-writeable text entry box for
>> AffectedEmployeeDetails instead of hiding it from me as above.
>>
>> Sure, trying to change AffectedEmployeeDetails gives me a
>> permission denied when I try to save, but... why hide it once
>> and not always?
>>
>> On 3/29/2010 7:56 PM, Jesse Vincent wrote:
>>>
>>>> Sadly, I knew about that, and had tested it to work just hours
>>>> before posting this. In those few hours I ended up in
>>>> share/html/Tickets/Elements/EditCustomFields to add the
>>>> display of $CustomField->Description information for the
>>>> viewer. I got sidetracked in that file and implemented
>>>> something I had already found a solution to.
>>>>
>>>> More sadly, I posted it publicly :)
>>>
>>> *laugh* It happens to the best of us.
>
>
>
>
More information about the rt-users
mailing list