Showing clone button should be required TICKET_ADMIN

[Jun Omae]

Until 1.2-stable, showing clone button is required TICKET_ADMIN but, in trunk, the button is shown even for anonymous user.

TicketClone page describes that it requires at least TICKET_ADMIN level privileges.

Spammers create easily tickets via clone button. Annoying….

[Ryan J Ollos]

TICKET_ADMIN requirement was removed in r15436.

For some Trac instances requiring only TICKET_CREATE might be desirable.

Another idea, I suppose we could add a TICKET_CLONE permission.

[Jun Omae]

In #10948, TICKET_CREATE or TICKET_CLONE permission to clone ticket is discussed but that is not fixed.

I think the removing TICKET_ADMIN from the requirement is a wrong.

[Ryan J Ollos]

I'll rebase proposed changes in #10948 and review. That ticket is now targeted to milestone:1.3.4.

[Jun Omae]

Replying to Ryan J Ollos:

For some Trac instances requiring only TICKET_CREATE might be desirable.

The clone button currently is required TICKET_MODIFY permission.

ticketclone.js inserts the clone button after Reply button (#addreply) in ticket description, however it is not rendered for the user without TICKET_MODIFY.

trac/ticket/templates/ticket_box.html:

196         function insertNearReplyToDescription(content, side) {
197           if (side === 'right') {
198             $("#ticket .description #addreply").before(content);
199           } else if (side === 'rightmost') {
200             $("#ticket .description > h2").after(content);
201           } else if (side === 'leftmost') {
202             $("#ticket .description").children(".searchable, br")
203               .before(content);
204           } else { // 'left'
205 =>          $("#ticket .description #addreply").after(content);
206           }
207         }