I always assumed that using API, the user will have the same permissions as when he is accessing RT via the web interface.
Turns out, that using API, he can edit(reply, add time to) tickets in closed queues - which is not possible via the web interface(as it should be).
Is there a way to restrict users from modifying closed queues via the API - apart from terminating API access altogether?
Note: RT version 5.0.7
I believe the API should still respect rights in RT. Can you confirm via the rights inspector that the user doesn’t have the rights to make these changes to the tickets that they have?
Yes, the user has permissions on the ticket as the ticket owner, but trying to reply via the web interface, he gets “Cannot reply to closed queue!”.
API somehow does not respect that.
I have failed to find any relevant permission in the permission settings.
Can you perhaps suggest which permissions to watch out for?
As in the queue is not enabled? Or the queue is called “closed”?
The queue is not enabled.
Should I report this as a bug?
This clears things up nicely, thanks for the explanation. The distinction around API permissions makes a lot more sense now - should definitely help others avoid some confusion!