6.0.0-git
2019-08-25

[#3789] pick up number for guest ,if without read permission
Summary pick up number for guest ,if without read permission
Queue Whups
Type Enhancement
State Accepted
Priority 1. Low
Owners
Requester david (at) tmv (dot) gov (dot) tw
Created 2006-04-19 (4876 days ago)
Due
Updated 2007-09-29 (4348 days ago)
Assigned
Resolved
Milestone
Patch No

History
2007-09-29 02:28:22 Chuck Hagenbuch State ⇒ Accepted
 
2006-07-20 19:17:44 Chuck Hagenbuch State ⇒ New
 
2006-04-19 16:02:13 david (at) tmv (dot) gov (dot) tw Comment #4 Reply to this comment
Here is my thought about this issue:

First,the ticket did not realy created into system until guest confirm 
by the url or pick-up number given in the first notification.This is 
for verify guest's mail address.



Second,those who can provide corrct pick-up number or url,system will 
treat them as CREATOR not GUEST only for that ticket.



David
2006-04-19 06:51:55 Jan Schneider Comment #3 Reply to this comment
Yes, the permissions should be opposite. E.g. if the user has read but 
not show permissions, he will get the regular notification message and 
can access the ticket through the url, but it won't show up in any bug 
listings.

This won't keep any anonymous user from trying several bug number 
manually though, so it's only obfuscation by hiding.
2006-04-19 04:41:09 Chuck Hagenbuch Comment #2
State ⇒ Feedback
Reply to this comment
What would the pick-up number link to?



One problem is that SHOW permission means you can see an object 
exists, but not what it is (more or less - times for calendar events 
but not titles, etc.). How would having SHOW let someone see 
information about a ticket, using that understanding of SHOW?
2006-04-19 00:47:33 david (at) tmv (dot) gov (dot) tw Comment #1
Type ⇒ Enhancement
State ⇒ New
Priority ⇒ 1. Low
Summary ⇒ pick up number for guest ,if without read permission
Queue ⇒ Whups
Reply to this comment
Follow up ticket 3630
If have a queue where guests have the rights "Show" and "Edit", but 
not "Read"
So they are able to report something, but not to read the content 
afterwards. On this way it is possible to *report critical content* 
that should not be accessible by anyone.
How about send guest a pick-up number in the first notification 
message,so they can read ticket's history ,if guest just have Show and 
Edit permission.


Saved Queries