Read-only users can acknowledge triggers (doesn't properly check for write permission)

XMLWordPrintable

    • Type: Patch request
    • Resolution: Won't fix
    • Priority: Major
    • None
    • Affects Version/s: 1.8.4
    • Component/s: Frontend (F)
    • Environment:
      Linux, Apache, Php 5.3
    • Sprint 18

      In 1.8.4 (and earlier versions), guests (or other users with read only permissions) can acknowledge triggers that they can see, even without read/write permissions for the host. It's possible that this was by design, but that defies the Law of Least Astonishment, since giving someone read-only permissions shouldn't let them make any updates/changes.

      I have a patch (attached) that checks for read/write permissions for acknowledging triggers (on tr_status.php and acknow.php).

        1. ack-perms.diff
          2 kB

            Assignee:
            Unassigned
            Reporter:
            Isaac Richter
            Team C
            Votes:
            5 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: