Deleting notes only possible when agent has full group permissions

Infos:

  • Used Zammad version: 3.0.x
  • Used Zammad installation source: docker-compose
  • Operating system: Debian 9
  • Browser + version: Chrome 75

Expected behavior:

  • If a user can see a “Delete” button below their own note, a click on this Delete button should delete the note. If the note cannot be deleted (e.g. due to permissions), an error message should be displayed; or better yet, the Delete button shouldn’t be visible in the first place.
  • A user should be able to delete their own notes if they have write permissions to the ticket.
    My rationale for this is: at the moment, you can only delete your own notes when you have full group permissions. But write permissions are enough to move the ticket into a group where you have full permissions, so you can always move ticket -> delete note -> move ticket back. Therefore write permissions are technically already sufficient, it’s just not very obvious.

Actual behavior:

  • Deleting a ticket note can fail due to permissions. Still, the button is visible, and Zammad will not report the error. Only the logs show that something went wrong:

    I, [2019-07-10T10:52:34.698865 #1-47222887043280]  INFO -- : Started DELETE "/api/v1/ticket_articles/46850" for ::ffff:172.17.0.4 at 2019-07-10 10:52:34 +0000                        
    I, [2019-07-10T10:52:34.703514 #1-47222887043280]  INFO -- : Processing by TicketArticlesController#destroy as JSON                                                                                                                         
    I, [2019-07-10T10:52:34.703580 #1-47222887043280]  INFO -- :   Parameters: {"id"=>"46850"}                                                                                                 
    I, [2019-07-10T10:52:34.725307 #1-47222887043280]  INFO -- : Completed 401 Unauthorized in 22ms (Views: 0.2ms | ActiveRecord: 4.4ms)                                  
    
  • Users cannot delete their own notes if the ticket is in a group where the user lacks full permissions.

Steps to reproduce the behavior:

  • Create a ticket in a group where you have full access.
  • Create a note.
  • Delete the note. This will work as expected.
  • Create another note.
  • Move the ticket into another group where you don’t have full permissions, but only read, create, change, overview.
  • Delete the note. This won’t work.