Fossil Forum


Permission check for /rptsql page is wrong, isn't it?

(1.1) By george on 2021-03-31 20:10:56 edited from 1.0 [link] [source]

/rptsql page (the one that shows SQL query of a ticket report) requires TktFmt capability (see line 323 of src/report.c).

What is the rationale behind this rule?
It seems more reasonable to me to require for ( "Clone" AND "RdTkt" ).


Maybe a better rule:

( "Clone" AND "RdTkt" ) OR ( "requester-is-the-owner-of-the-report" ).