RT 2.0.13 bug? Anyone can *update* a ticket

Hello,

I’m using 2.0.13. I have one of my queues gatewayed to an e-mail address.
I have group rights set as follows: Everyone - CreateTicket, Requestor -
CommentOnTIcket, ReplyToTicket, ShowTicket, Watch.

I created a ticket via e-mail and then sent and update in from an e-mail
address that belongs neither to the requestor nor any of the watchers. It
got posted. Should that be happening? (In my opinion, if you didn’t
request a ticket and you’re not a watcher/adminCC/CC, you shouldn’t be
able to reply to it.)

Thanks :slight_smile:

Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET

  • I do my best work with one of my cockatiels sitting on each shoulder -
    6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance
    stance towards abusive priests. The fact that 20% didn’t, scares me…

“SJS” == Steven J Sobol sjsobol@JustThe.net writes:

SJS> I have group rights set as follows: Everyone - CreateTicket, Requestor -
SJS> CommentOnTIcket, ReplyToTicket, ShowTicket, Watch.

SJS> I created a ticket via e-mail and then sent and update in from an e-mail
SJS> address that belongs neither to the requestor nor any of the watchers. It
SJS> got posted. Should that be happening? (In my opinion, if you didn’t
SJS> request a ticket and you’re not a watcher/adminCC/CC, you shouldn’t be
SJS> able to reply to it.)

Then don’t give “everyone” the right to reply to a ticket. Give it
only to the requestor and admins/owners.

Then don’t give “everyone” the right to reply to a ticket. Give it
only to the requestor and admins/owners.

“Everyone” only has the right to create a ticket.

And sjsobol@nacs.net, the e-mail account that sent the reply, doesn’t have
a user account in this particular copy of RT, and even if it did, I don’t
assign per-user rights anyhow, just group rights.

Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET

  • I do my best work with one of my cockatiels sitting on each shoulder -
    6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance
    stance towards abusive priests. The fact that 20% didn’t, scares me…