One of our users recently mistakenly merged a ticket into a ticket
that she didn’t have modify rights to. She could no longer even see
the merged ticket. In trying to track down why this would happen, I
found this code in Ticket_Overlay.pm (MergeInto method):

my $MergeInto = RT::Ticket->new($RT::SystemUser);
$MergeInto->Load($ticket_id);

Make sure the current user can modify the new ticket.

unless ( $MergeInto->CurrentUserHasRight(‘ModifyTicket’) ) {
return ( 0, $self->loc(“Permission Denied”) );
}

Now, because the $MergeInto ticket was created with the RT System
User, “CurrentUser” for this object seems to be RT::SystemUser and so
always has ModifyTicket permission.

My question is - am I understanding this whole thing correctly?
Should the MergeInto ticket object be created with $self->CurrentUser
instead of RT::SystemUser?

Thanks,
Steve