Opened 7 years ago

Closed 5 years ago

Unprivileged users opening a sensitive ticket don’t know that they succeeded

Reported by: Owned by: Anders Kaseorg Daniel Kahn Gillmor normal SensitiveTicketsPlugin normal newticket success feedback 0.11

Description

If a user without SENSITIVE_VIEW permissions opens a sensitive ticket, then they do not have permission to view the ticket they just opened, and they are mysteriously redirected back to the new ticket form with no error message, and no indication that the ticket was successfully opened (even though it was).

comment:1 Changed 6 years ago by Daniel Kahn Gillmor

Yes, this is a concern. Perhaps the reporter should be allowed access as well as people with SENSITIVE_VIEW. Or maybe anyone in the Cc field as well?

Changed 5 years ago by Daniel Kahn Gillmor

patch that enables some options: allow_reporter, allow_cc (both of which default to false) and allow_owner (defaults to true)

comment:2 Changed 5 years ago by Daniel Kahn Gillmor

(sorry for the duplicate copies)

Changed 5 years ago by Daniel Kahn Gillmor

revised patch which also adds limit_sensitivity option to prevent people from setting sensitivity on tickets they won't have access to.

comment:3 Changed 5 years ago by Steffen Hoffmann

Keywords: newticket success feedback added changed from obs to Daniel Kahn Gillmor

assign to current maintainer now

comment:4 Changed 5 years ago by Daniel Kahn Gillmor

Resolution: → fixed new → closed

This should be closed as of r11287

Modify Ticket

Change Properties