On Mon, Jan 27, 2014 at 10:43 AM, Apache Bloodhound < [email protected]> wrote:
> #388: Test environment isolation across product boundaries - after #355 > ---------------------------+-------------------------------------------- > Reporter: olemis | Owner: rjollos > Type: task | Status: review > Priority: critical | Milestone: Release 8 > Component: multiproduct | Version: > Resolution: | Keywords: product environment testing QA > ---------------------------+-------------------------------------------- > > Comment (by olemis): > > Replying to [comment:8 rjollos]: > [...] > > > > A related issue is that, since `process_request` is checking for > `TICKET_CREATE` permission, the user must have `TICKET_CREATE` for their > current scope in order to use the QCT. > > > > this is by design , if creating a ticket via QCT user must be granted with > TICKET_CREATE in both the active env and the target env . The former case > is not a big deal since > > > [source:trunk/bloodhound_theme/bhtheme/templates/bloodhound_theme.html@1553998 > :339-356 > QCT form is not displayed] . Nevertheless it must still be asserted in > code to be consistent in case of direct requests hijacking system logic . > We should reconsider whether it is a good design in light of recent changes. Given that tickets must be associated with a product, it make little sense to require that a user has `TICKET_CREATE` at global scope in order for the QCT form to be available at global scope. The QCT would be more useful if a user could create a ticket in any product for which they have TICKET_CREATE permission, regardless of the permissions they have in the current scope (i.e. a the active environment).
