DeleteTicket right issue in RT3.0.11 (bugfix)

Hello,

I have trouble with the ‘DeleteTicket’ right in RT3.0.11.

I have given the right ‘DeleteTicket’ to particular users while other
users can ‘ModifyTicket’ (actually: the owner). If I now try to set the
Status of a ticket to ‘deleted’, I actually need the 'ModifyTicket’
right (-> own the ticket). Just having the ‘DeleteTicket’ right is not
sufficient.

This is introduced because “Ticket::SetStatus” checks the ACL but
forgets to tell “Ticket::_Set” NOT to check (which does check again, but
only against the ‘ModifyTicket’ right, and thus denies the change).

Assuming that this is a bug and not a feature, here is the fix:

*** /opt/rt3/lib/RT/Ticket_Overlay.ORIG
— /opt/rt3/lib/RT/Ticket_Overlay.pm
*** 3326,3331 ****
— 3326,3332 ----
my ($val, $msg)= $self->_Set( Field => ‘Status’,
Value => $args{Status},
TimeTaken => 0,

  •                       CheckACL        => 0,
                           TransactionType => 'Status'  );
    
     return($val,$msg);
    

Best regards,

Ruediger Riediger

Dr. Ruediger Riediger Sun Microsystems GmbH
NSG - SunCERT Komturstr. 18a
mailto:Ruediger.Riediger@Sun.com D-12099 Berlin
NOTICE: This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
PGP 2048RSA/0x2C5020E9 964C E189 0FF0 8882 2BAB 65E2 6912 1FF2