Had a bit of a discussion with a colleague who has been auditing our RT
install about the mentioned subject. He found a user which could see and
commont on tickets without having CommentOnTicket but having
ModifyTicket to which I replied that he shouldn’t be able to. Reading
the wiki led to the same answer. ModifyTicket also implies CommentOnTicket.
Still nog completely sure I went through the code and yes its in there
so he’s right.
BUT I found a bug I think.
/lib/RT/Interface/Email/Auth/MailFrom.pm line 186 (version 4.2.2) check
for CommentOnTicket when the Action is comment but it doesn’t check for
ModifyTicket while in /lib/RT/Ticket.pm line 1446 it does check on both
rights when checking for a comment.
Had a bit of a discussion with a colleague who has been auditing our RT
install about the mentioned subject. He found a user which could see and
commont on tickets without having CommentOnTicket but having
ModifyTicket to which I replied that he shouldn’t be able to. Reading
the wiki led to the same answer. ModifyTicket also implies CommentOnTicket.
Still nog completely sure I went through the code and yes its in there
so he’s right.
Yep. This has been this way a long long time. One thing that escaped
this, ForwardTicket isn’t implied by Modify. Additionally, in 4.0 and
greater you can protect status transitions using lifecycle rights.
BUT I found a bug I think.
/lib/RT/Interface/Email/Auth/MailFrom.pm line 186 (version 4.2.2) check
for CommentOnTicket when the Action is comment but it doesn’t check for
ModifyTicket while in /lib/RT/Ticket.pm line 1446 it does check on both
rights when checking for a comment.
This has been this way a long time and I doubt we’re going to change
it. In fact, the change we’d rather make is to move away from
ModifyTicket implying ReplyToTicket and CommentOnTicket.