#4237 closed enhancement (duplicate)
Add a permission for reopening tickets
Reported by: | Rakshasa | Owned by: | Jonas Borgström |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | general | Version: | 0.10.2 |
Severity: | normal | Keywords: | workflow permission |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
A lot of my ticket have been reopened due to spammers, and I'd like a way to disallow anonymous from reopening them. Although I realize it might would be a problem that users won't be able to reopen them, it's not as bad a problem as having all my tickets reopened by spammers even though I delete them with a script.
Attachments (0)
Change History (7)
comment:1 by , 18 years ago
comment:2 by , 18 years ago
Anonymous doesn't have TICKET_MODIFY permission, yet still they can reopen due to TICKET_APPEND.
comment:3 by , 18 years ago
The permission to reopen tickets is actually controlled by TICKET_CREATE
(the logic being that reopening an existing ticket is similar to creating a new ticket). In retrospect, I'm not sure that was the right decision, but TICKET_MODIFY
would be too restrictive and TICKET_APPEND
too open.
Anyway, if you need spam control, I'd strongly suggest looking either into the SpamFilter plugin, or requiring registration using the th:AccountManagerPlugin.
comment:4 by , 18 years ago
Keywords: | workflow permission added |
---|---|
Milestone: | → 0.11 |
This issue should probably be examined in the light of the recent/future changes concerning workflow and security.
comment:5 by , 18 years ago
WorkFlow allows you to specify permissions required to take each action on a ticket.
comment:6 by , 17 years ago
Milestone: | 0.11.1 → 0.11 |
---|---|
Resolution: | → duplicate |
Status: | new → closed |
Closing this as duplicate of #3902. It is essentially a variation on the same issue.
Use SpamFilter as a general spam-fighting solution, or else writing a custom security policy plugin will let you set your rules as you want them. For this exact issue it is a matter of checking to see if it is a TICKET_CREATE
on a pre-existing ticket, and deny if anonymous.
One solution (though not ideal) is removing the
TICKET_MODIFY
permission foranonymous
users.