TICKET_CREATE without TICKET_VIEW redirect to denied page

[gh@…]

We have users who have TICKET_CREATE permission, but not TICKET_VIEW. These users get the 'permission denied' message when they are redirected to their newly created ticket after creating it. To avoid that I created a quick patch that redirects users without TICKET_VIEW permission back to the newticket module instead of the ticket.

[gh@…]

The patch mentioned above:

Index: trac/ticket/web_ui.py
===================================================================
--- trac/ticket/web_ui.py       (revision 2983)
+++ trac/ticket/web_ui.py       (working copy)
@@ -146,6 +146,10 @@
             self.log.exception("Failure sending notification on creation of "
                                "ticket #%s: %s" % (ticket.id, e))
 
+       # offer NewTicket again if user is not allowed to view tickets
+        if not req.perm.has_permission('TICKET_VIEW'):
+               req.redirect(self.env.href.newticket())
+
         # Redirect the user to the newly created ticket
         req.redirect(self.env.href.ticket(ticket.id))
 

[Christian Boos]

I think it makes more sense to allow users who have a TICKET_CREATE permission to see at least the ticket they've just created, no?

With your change, they'll certainly get the impression that their ticket was not created, and they'll probably try once or twice more before giving up…

[Markus Tacker <m@…>]

You could also display a page which states that the ticket has been created and a link back to "New Ticket".

[sid]

See also #3466 for restricting users from seeing tickets that are not their own.

[Remy Blank]

AFAICT, this was fixed on trunk in [7579].