#266 - Users with only 'comment' permissions on tickets wipe out all ticket metadata
Type Defect
Status Fixed
Milestone 2.3.6
Version 2.3.5
Component -
Priority Normal
Severity Major
Owner Tilius
Assigned to -
Reported 11 years ago
Updated 10 years ago
Votes 0
Related tickets
Proposed time
Worked time

What did you do to cause this?

  1. Create example ticket 1 with user A who has access to create/update/comment on tickets.
  2. Log into user B who has access to only create/comment on tickets.
  3. Comment on ticket 1 with user B.
  4. Observe that ticket 1's metadata fields have been changed to all "null", for example:

Changed Type from Task to null Changed Priority from Normal to null Changed Assignee from Tilius to null Changed Severity from High to Low Changed Version from null to null

(the title is also changed to blank)

What page were you on? Update ticket page.

What PHP and MySQL versions do you run? PHP 5.3.3-7 mysql Ver 14.14 Distrib 5.1.61

Describe the defect: Users with only 'comment' permissions on tickets wipe out all ticket metadata when they comment on a ticket.

I would like for typical users to be able to create tickets and comment on them, but not update ticket metadata (i.e.: move a ticket status to closed before it's actually resolved). So I created a user group that can only create and comment on tickets.

However, if I had to guess, seems like the comment form is submitting blank field values for the type/priority/assignee/etc fields, so that these fields get updated to null when a user comments on a ticket.

This affects at least 2.3.4 and also 2.3.5

Ticket History

Jack closed as Fixed 11 years and 10 months ago