Opened 12 years ago
Last modified 11 years ago
#10911 closed defect
CommitTicketUpdater makes changes on tickets on behalf of users without checking if they have sufficient permissions — at Initial Version
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | normal | Milestone: | 1.0.1 |
Component: | ticket system | Version: | 1.0 |
Severity: | major | Keywords: | updater |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
We have a setup, where committers can view only their own tickets.
When I reference a ticket, to which I don't have permissions to even see, CommitTicketUpdater
still posts a comment on this ticket with my username and I get the notification e-mail, exposing the ticket summary and description.
I expected that if the commit_ticket_update_check_perms
option is set, I won't be able to post comments to this ticket and that I won't be able to see the ticket summary and description.
I think we should check if the user has TICKET_APPEND
permission before updating the ticket on their behalf.