4 use RT::Test tests => undef;
6 my $user = RT::Test->load_or_create_user(
8 EmailAddress => 'user@example.com',
10 Password => 'password',
15 { Principal => 'Everyone', Right => [qw/CreateTicket/] },
16 { Principal => 'Requestor', Right => [qw/ShowTicket/] },
21 my $secret = "sekrit message";
23 RT::Test->create_tickets(
26 Subject => 'ticket A',
27 Requestor => $user->EmailAddress,
28 Content => "user's ticket",
31 Subject => 'ticket B',
32 Requestor => 'root@localhost',
37 my $ticket_b = RT::Test->last_ticket;
39 my ($baseurl, $m) = RT::Test->started_ok;
40 ok $m->login( 'user', 'password' ), 'logged in as user';
42 $m->get_ok("$baseurl/Ticket/Display.html?id=" . $ticket_b->id);
43 $m->content_contains('No permission');
44 $m->warning_like(qr/no permission/i, 'no permission warning');
46 RT::Test->clean_caught_mails;
48 # Ticket Create is just one example of where this is vulnerable
49 $m->get_ok('/Ticket/Create.html?Queue=1');
51 form_name => 'TicketCreate',
53 Subject => 'ticket C',
54 AttachTickets => $ticket_b->id,
56 }, 'create a ticket');
58 my @mail = RT::Test->fetch_caught_mails;
59 ok @mail, "got some outgoing emails";
60 unlike $mail[0], qr/\Q$secret\E/, "doesn't contain ticket user can't see";