#13076 closed defect (duplicate)
Showing clone button should be required TICKET_ADMIN
Reported by: | Jun Omae | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | ticket system | Version: | |
Severity: | normal | Keywords: | |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
Until 1.2-stable, showing clone button is required TICKET_ADMIN but, in trunk, the button is shown even for anonymous user.
TicketClone page describes that it requires at least TICKET_ADMIN level privileges.
Spammers create easily tickets via clone button. Annoying….
Attachments (0)
Change History (4)
follow-up: 4 comment:1 by , 6 years ago
comment:2 by , 6 years ago
In #10948, TICKET_CREATE
or TICKET_CLONE
permission to clone ticket is discussed but that is not fixed.
I think the removing TICKET_ADMIN
from the requirement is a wrong.
comment:3 by , 6 years ago
Milestone: | 1.3.4 |
---|---|
Resolution: | → duplicate |
Status: | new → closed |
I'll rebase proposed changes in #10948 and review. That ticket is now targeted to milestone:1.3.4.
comment:4 by , 5 years ago
Replying to Ryan J Ollos:
For some Trac instances requiring only
TICKET_CREATE
might be desirable.
The clone button currently is required TICKET_MODIFY
permission.
ticketclone.js inserts the clone button after Reply button (#addreply
) in ticket description, however it is not rendered for the user without TICKET_MODIFY
.
trac/ticket/templates/ticket_box.html:
196 function insertNearReplyToDescription(content, side) { 197 if (side === 'right') { 198 $("#ticket .description #addreply").before(content); 199 } else if (side === 'rightmost') { 200 $("#ticket .description > h2").after(content); 201 } else if (side === 'leftmost') { 202 $("#ticket .description").children(".searchable, br") 203 .before(content); 204 } else { // 'left' 205 => $("#ticket .description #addreply").after(content); 206 } 207 }
TICKET_ADMIN
requirement was removed in r15436.For some Trac instances requiring only
TICKET_CREATE
might be desirable.Another idea, I suppose we could add a
TICKET_CLONE
permission.