Opened 12 years ago
Last modified 11 years ago
#10911 closed defect
CommitTicketUpdater makes changes on tickets on behalf of users without checking if they have sufficient permissions — at Initial Version
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | 1.0.1 |
| Component: | ticket system | Version: | 1.0 |
| Severity: | major | Keywords: | updater |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
We have a setup, where committers can view only their own tickets.
When I reference a ticket, to which I don't have permissions to even see, CommitTicketUpdater still posts a comment on this ticket with my username and I get the notification e-mail, exposing the ticket summary and description.
I expected that if the commit_ticket_update_check_perms option is set, I won't be able to post comments to this ticket and that I won't be able to see the ticket summary and description.
I think we should check if the user has TICKET_APPEND permission before updating the ticket on their behalf.
Note:
See TracTickets
for help on using tickets.
