id summary reporter owner description type status priority milestone component version severity resolution keywords cc branch changelog apichanges internalchanges 10911 CommitTicketUpdater makes changes on tickets on behalf of users without checking if they have sufficient permissions nikolay@… Remy Blank "We have a setup, where committers can view only their own tickets. When I reference a ticket, to which I don't have permissions to even see, {{{CommitTicketUpdater}}} still posts a comment on this ticket with my username and I get the notification e-mail, exposing the ticket summary and description. I expected that if the {{{commit_ticket_update_check_perms}}} option is set, I won't be able to post comments to this ticket and that I won't be able to see the ticket summary and description. I think we should check if the user has {{{TICKET_APPEND}}} permission before updating the ticket on their behalf." defect closed normal 1.0.1 ticket system 1.0 major fixed updater CommitTicketUpdater checks for `TICKET_APPEND` when the `refs` command is provided.