Our permissions model is currently a mess. Newsgroup discussion came up with the following, which I intend to implement: No permissions - can add comments and change CCs Has canconfirm - can add comments, change CCs, and confirm a bug Has canedit - can edit any aspect of a bug QA Contact - can edit any aspect of a bug Assignee - can edit any aspect of a bug (So, being the QA Contact or the Assignee can be implemented as having canedit for that bug only.) Reporter - can edit any aspect of a bug, except: confirmed status priority unless Param("letsubmitterchoosepriority") target milestone (So, being a reporter has to be an extra flag, because they are different.) Gerv
This is related to/a dupe of several bugs, the most obvious probably being the 2.16 bug on this issue.
OK, having carefully read the code, here (I think) are the deviations the current model has from the ideal: - An unpermissioned user can change NEW -> ASSIGNED and REOPENED -> ASSIGNED by hacking templates, although there's no UI. - The reporter can possibly confirm bugs, using the same method as above, but I couldn't get it to work. - The reporter can currently change priority and TM. - Anyone can edit dependencies (bug 141593) because the Check function isn't called for them Gerv
I fixed this when I rewrote CheckCanChangeField. Gerv