Set custom fields for unprivileged users via REST

Hi. I have another question about using REST 1.0 and here is the scenario:

  • I have some custom fields.
  • I CAN set the custom fields for privileged users when I create a ticket via REST interface.
  • I CAN’T do the same for unprivileged users although I set SetInitialCustomField right for custom fields them
  • I can do it for unprivileged users if I set SeeCustomField right for them too, however I DON’T want them to see the custom fields, so it can’t be a solution.

The ticket is created but I get error message “Invalid custom field name” per custom field.

What can I do?

I think I found the problem. There is a subroutine called CurrentUserCanSee in rt/lib/RT/ that checks if the user can create a custom field at creation time even if she can’t see them. But, rt/html/REST/1.0/Forms/ticket/default which seems to be responsible for creating tickets via REST interface doesn’t have such a validation.

Instead, it uses:

my $cf = RT::CustomField->new( $session{CurrentUser} );

that returns custom fields which can be seen by the current user, and since the current user doesn’t have SeeCustomField right, it returns “Invalid custom field name”.
So, I’d like to know if it’s ok to change that line to:

my $cf = RT::CustomField->new( RT->SystemUser );

It’s only a workaround that I tested and worked.