Request Participants beside Reporter can remove other participants.

2017-06-14T14:49:18
ID ATLASSIAN:JSDSERVER-5184
Type atlassian
Reporter jrahmadiputra
Modified 2018-08-15T12:51:50

Description

h3. Summary: Apparently, participants of a request have a control to whom the request is "Shared" with even though it is not the Reporter. Hence, they can actually remove themselves from the Request and unable to view it after that. Also, they can remove other parties from the request as well.

h3. Steps to Reproduce:

Create a Service Desk Project.

Create an Organization and add Customer 1 and Customer 2 inside.

Let Customer 1 create a request from the portal and share it to the Organization.

Logout from Customer 1 and log in back as Customer 2.

Access the previous request.

h3. Expected Result: * The request could be accessed and the user would not have control over the "Participants"

h3. Actual Result: * There is an option to remove the Participant which is the Organization.

h3. Notes: * This also applies to single users as well, not just Organization.