CommitTicketUpdater makes changes on tickets on behalf of users without checking if they have sufficient permissions
|Reported by:||Owned by:||Remy Blank|
CommitTicketUpdater checks for
We have a setup, where committers can view only their own tickets.
When I reference a ticket, to which I don't have permissions to even see,
CommitTicketUpdater still posts a comment on this ticket with my username and I get the notification e-mail, exposing the ticket summary and description.
I expected that if the
commit_ticket_update_check_perms option is set, I won't be able to post comments to this ticket and that I won't be able to see the ticket summary and description.
I think we should check if the user has
TICKET_APPEND permission before updating the ticket on their behalf.
Change History (10)
comment:1 by , 9 years ago
|Component:||general → ticket system|
|Status:||new → assigned|
comment:6 by , 9 years ago
|Keywords:||updater, → updater|
|Status:||assigned → closed|