Permission check for /rptsql page is wrong, isn't it?
(1.1) By george on 2021-03-31 20:10:56 edited from 1.0 [link] [source]
/rptsql page (the one that shows SQL query of a ticket report) requires TktFmt capability (see line 323 of src/report.c).
What is the rationale behind this rule?
It seems more reasonable to me to require for ( "Clone" AND "RdTkt" ).
UPDATE:
Maybe a better rule:
( "Clone" AND "RdTkt" ) OR ( "requester-is-the-owner-of-the-report" ).