Add a permission for reopening tickets

[Rakshasa]

A lot of my ticket have been reopened due to spammers, and I'd like a way to disallow anonymous from reopening them. Although I realize it might would be a problem that users won't be able to reopen them, it's not as bad a problem as having all my tickets reopened by spammers even though I delete them with a script.

[anonymous]

One solution (though not ideal) is removing the TICKET_MODIFY permission for anonymous users.

[anonymous]

Anonymous doesn't have TICKET_MODIFY permission, yet still they can reopen due to TICKET_APPEND.

[Christopher Lenz]

The permission to reopen tickets is actually controlled by TICKET_CREATE (the logic being that reopening an existing ticket is similar to creating a new ticket). In retrospect, I'm not sure that was the right decision, but TICKET_MODIFY would be too restrictive and TICKET_APPEND too open.

Anyway, if you need spam control, I'd strongly suggest looking either into the SpamFilter plugin, or requiring registration using the ​th:AccountManagerPlugin.

[Christian Boos]

This issue should probably be examined in the light of the recent/future changes concerning workflow and security.

[Eli Carter]

WorkFlow allows you to specify permissions required to take each action on a ticket.

[osimons <simon-code@…>]

Closing this as duplicate of #3902. It is essentially a variation on the same issue.

Use SpamFilter as a general spam-fighting solution, or else writing a custom security policy plugin will let you set your rules as you want them. For this exact issue it is a matter of checking to see if it is a TICKET_CREATE on a pre-existing ticket, and deny if anonymous.

[Christian Boos]

(clearing the milestone field, as it's a duplicate)