> On 27 Jan 2014, at 23:02, Ryan Ollos <[email protected]> wrote: > > On Mon, Jan 27, 2014 at 10:43 AM, Apache Bloodhound < > [email protected]> wrote: > >> #388: Test environment isolation across product boundaries - after #355 >> ---------------------------+-------------------------------------------- >> Reporter: olemis | Owner: rjollos >> Type: task | Status: review >> Priority: critical | Milestone: Release 8 >> Component: multiproduct | Version: >> Resolution: | Keywords: product environment testing QA >> ---------------------------+-------------------------------------------- >> >> Comment (by olemis): >> >> Replying to [comment:8 rjollos]: >> [...] >>> >>> A related issue is that, since `process_request` is checking for >> `TICKET_CREATE` permission, the user must have `TICKET_CREATE` for their >> current scope in order to use the QCT. >> >> this is by design , if creating a ticket via QCT user must be granted with >> TICKET_CREATE in both the active env and the target env . The former case >> is not a big deal since >> >> [source:trunk/bloodhound_theme/bhtheme/templates/bloodhound_theme.html@1553998 >> :339-356 >> QCT form is not displayed] . Nevertheless it must still be asserted in >> code to be consistent in case of direct requests hijacking system logic . > > We should reconsider whether it is a good design in light of recent > changes. Given that tickets must be associated with a product, it make > little sense to require that a user has `TICKET_CREATE` at global scope in > order for the QCT form to be available at global scope. The QCT would be > more useful if a user could create a ticket in any product for which they > have TICKET_CREATE permission, regardless of the permissions they have in > the current scope (i.e. a the active environment).
I agree with Ryan. That's how I believe QCT was intended to be used from the beginning. It should only be hidden if the user has no ticket create permissions in any product. - Joe
