The endpoint /tickets/uploadattachment doens't check the user's permissions. Everyone can upload any attachment even if the user hasn't the tickets:update permission. This is verified instead if I try to delete the attachment.
What did you expect to happen:
Check the user permissions and prevent the upload.
How to reproduce it (as minimally and precisely as possible):
Postman, or enabling the upload element in the UI commenting the following check in IssuePartial.jsx at line 165:
&& helpers.hasPermOverRole(this.props.owner.role, null, 'tickets:update', true)
Is this a BUG REPORT or FEATURE REQUEST?:
What happened:
The endpoint
/tickets/uploadattachment
doens't check the user's permissions. Everyone can upload any attachment even if the user hasn't the tickets:update permission. This is verified instead if I try to delete the attachment.What did you expect to happen:
Check the user permissions and prevent the upload.
How to reproduce it (as minimally and precisely as possible):
Postman, or enabling the upload element in the UI commenting the following check in IssuePartial.jsx at line 165:
&& helpers.hasPermOverRole(this.props.owner.role, null, 'tickets:update', true)
Anything else we need to know?:
Environment: