Infos:
- Used Zammad version: 3.0.x
- Used Zammad installation source: docker-compose
- Operating system: Debian 9
- Browser + version: Chrome 75
Expected behavior:
- If a user can see a “Delete” button below their own note, a click on this Delete button should delete the note. If the note cannot be deleted (e.g. due to permissions), an error message should be displayed; or better yet, the Delete button shouldn’t be visible in the first place.
- A user should be able to delete their own notes if they have write permissions to the ticket.
My rationale for this is: at the moment, you can only delete your own notes when you have full group permissions. But write permissions are enough to move the ticket into a group where you have full permissions, so you can always move ticket -> delete note -> move ticket back. Therefore write permissions are technically already sufficient, it’s just not very obvious.
Actual behavior:
-
Deleting a ticket note can fail due to permissions. Still, the button is visible, and Zammad will not report the error. Only the logs show that something went wrong:
I, [2019-07-10T10:52:34.698865 #1-47222887043280] INFO -- : Started DELETE "/api/v1/ticket_articles/46850" for ::ffff:172.17.0.4 at 2019-07-10 10:52:34 +0000 I, [2019-07-10T10:52:34.703514 #1-47222887043280] INFO -- : Processing by TicketArticlesController#destroy as JSON I, [2019-07-10T10:52:34.703580 #1-47222887043280] INFO -- : Parameters: {"id"=>"46850"} I, [2019-07-10T10:52:34.725307 #1-47222887043280] INFO -- : Completed 401 Unauthorized in 22ms (Views: 0.2ms | ActiveRecord: 4.4ms) -
Users cannot delete their own notes if the ticket is in a group where the user lacks full permissions.
Steps to reproduce the behavior:
- Create a ticket in a group where you have full access.
- Create a note.
- Delete the note. This will work as expected.
- Create another note.
- Move the ticket into another group where you don’t have full permissions, but only read, create, change, overview.
- Delete the note. This won’t work.