I just noticed that if a user without the permission to alter terms on a project issue posts a comment on that issue, terms that were already set and potentially alterable by someone with the proper permission get removed.

1. Create an issue as uid=1.
2. Create a comment to that issue and set a label. +PGSQL.
3. Log in as a different user who does not have the permission to alter terms via comments. Submit comment.
4. Label added in step 2 is removed by comment #2.

This isn't a security problem at all, since the user is not actively doing anything at all and wouldn't be able to add terms or anything.

See attached screenshot as an example.

CommentFileSizeAuthor
cat_example1.png56.81 KBaclight

Comments

aclight’s picture

Status: Active » Fixed

Now that #311480: Refactor and simplify the comment form workflow is in, this problem is fixed.

Anonymous’s picture

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.