RT3.8.8 Custom Field Bug

RT Users,

After some testing, it appears as though I have found a bug relating to the
display of custom fields when in the basics edit page.

We have some custom fields set up, so that some are SeeCustomField others
are ModifyCustomField and the rest have no permissions assigned. When on the
edit page, everything that ModifyCustomField is set for, are viewable and
editable just as I expect. However, when changing any of these, and hitting
save changes, every single Custom field applicable to that Queue/Globally
are suddenly visible entirely!

Of course when these are changed, and save changes is clicked again I am
shown Permission Denied, and then only the correct custom fields are shown
once more.

I’ve had a look at the code affecting this, and it seems to be the
share/html/Ticket/Elements/EditCustomFields which is the problem, on line
% next unless $CustomField->CurrentUserHasRight(‘ModifyCustomField’);
This seems to be true on every field upon a submit of the form, yet works
correctly when visiting the page initially. As a workaround, I changed the
line to:
% next unless $session{‘CurrentUser’}->HasRight( Object => $CustomField,
Right => ‘ModifyCustomField’);
And this seems to have fixed it.

I’m not entirely sure if this is a bug with RT3.8.8 or if it was present in
previous releases, or it’s just something with our specific setup.

Hopefully someone with a little more knowledge of the internal RT libs will
be able to confirm this!