Users with only 'comment' permissions on tickets wipe out all ticket metadata

266
Defect
Tilius
-
2.3.6
2.3.5
-
Fixed
Normal
Major
5 years ago
3 years ago
0

Description

What did you do to cause this? 1. Create example ticket 1 with user A who has access to create/update/comment on tickets. 2. Log into user B who has access to only create/comment on tickets. 3. Comment on ticket 1 with user B. 4. Observe that ticket 1's metadata fields have been changed to all "null", for example:

Changed Type from Task to null Changed Priority from Normal to null Changed Assignee from Tilius to null Changed Severity from High to Low Changed Version from null to null

(the title is also changed to blank)

What page were you on? Update ticket page.

What PHP and MySQL versions do you run? PHP 5.3.3-7 mysql Ver 14.14 Distrib 5.1.61

Describe the defect: Users with only 'comment' permissions on tickets wipe out all ticket metadata when they comment on a ticket.

I would like for typical users to be able to create tickets and comment on them, but not update ticket metadata (i.e.: move a ticket status to closed before it's actually resolved). So I created a user group that can only create and comment on tickets.

However, if I had to guess, seems like the comment form is submitting blank field values for the type/priority/assignee/etc fields, so that these fields get updated to null when a user comments on a ticket.

This affects at least 2.3.4 and also 2.3.5

Ticket History

5 years and 5 months ago by Jack

  • Closed ticket as Fixed