github-actions[bot]
commented
11 months ago This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
Open FlavioSantoro92 opened 12 months ago
github-actions[bot]
commented
11 months ago This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
Is this a BUG REPORT or FEATURE REQUEST?:
What happened:
The endpoint
/tickets/uploadattachmentdoens't check the user's permissions. Everyone can upload any attachment even if the user hasn't the tickets:update permission. This is verified instead if I try to delete the attachment.What did you expect to happen:
Check the user permissions and prevent the upload.
How to reproduce it (as minimally and precisely as possible):
Postman, or enabling the upload element in the UI commenting the following check in IssuePartial.jsx at line 165:
&& helpers.hasPermOverRole(this.props.owner.role, null, 'tickets:update', true)Anything else we need to know?:
Environment: