From facd6abec3e221ff784d5255b4767fb41339e16a Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 19 Sep 2021 00:56:10 +0200
Subject: [PATCH] FIX user without permission can set ticket subject

---
 htdocs/ticket/card.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/ticket/card.php b/htdocs/ticket/card.php
index 0df04bdf1ab05..e07205a704374 100644
--- a/htdocs/ticket/card.php
+++ b/htdocs/ticket/card.php
@@ -492,7 +492,7 @@
 		}
 	}
 
-	if ($action == 'setsubject') {
+	if ($action == 'setsubject' && $user->rights->ticket->write) {
 		if ($object->fetch(GETPOST('id', 'int'))) {
 			if ($action == 'setsubject') {
 				$object->subject = GETPOST('subject', 'alphanohtml');