Users with only 'comment' permissions on tickets wipe out all ticket metadata

8 years ago
7 years ago


What did you do to cause this? 1. Create example ticket 1 with user A who has access to create/update/comment on tickets. 2. Log into user B who has access to only create/comment on tickets. 3. Comment on ticket 1 with user B. 4. Observe that ticket 1's metadata fields have been changed to all "null", for example:

Changed Type from Task to null Changed Priority from Normal to null Changed Assignee from Tilius to null Changed Severity from High to Low Changed Version from null to null

(the title is also changed to blank)

What page were you on? Update ticket page.

What PHP and MySQL versions do you run? PHP 5.3.3-7 mysql Ver 14.14 Distrib 5.1.61

Describe the defect: Users with only 'comment' permissions on tickets wipe out all ticket metadata when they comment on a ticket.

I would like for typical users to be able to create tickets and comment on them, but not update ticket metadata (i.e.: move a ticket status to closed before it's actually resolved). So I created a user group that can only create and comment on tickets.

However, if I had to guess, seems like the comment form is submitting blank field values for the type/priority/assignee/etc fields, so that these fields get updated to null when a user comments on a ticket.

This affects at least 2.3.4 and also 2.3.5

Ticket History

8 years and 10 months ago by Jack

  • Closed ticket as Fixed