AddWatcher only checks if the watcher being added has
’WatchAsAdminCc’ or ‘Watch’ right when the CurrentUser
is the one being added. This means that using a scrip,
a watcher could be added that doesn’t have the right.
So is the right supposed to be enforced for all users
or is it just used to control which users show up
in the web interface. I would guess the former, but
the later is currently implemented.
The attached patch shows that the user doesn’t have
the right but AddWatcher succeeds anyway. (It also
makes it so the test can be run multiple times
without dropping the DB.)
rights.patch (1.63 KB)