I see this as one of two problems; for some reason I have a hard time
understanding how a browser behaving badly would cause a problem an
API is supposed to prevent.
Authorization for that endpoint shouldn't allow a ticket deletion
unless someone is a specific type of administrator (with rights to do
so), which shouldn't be determined by any front end; it should only
ever be determined by the API if someone is exceeding their authority.
a signed session or JWT should never be able to have authorization
rights escalated once authenticated. This truly seems like a "General
Ripper" scenario if this is the case.
If this isn't an authorization issue, then it might be a UX issue.
Assuming one is authorized to delete a ticket in the reported state;
i.e. somehow deleting the ticket by thinking one was deleting an
attachment. We don't have access to the front end in the state which
was reported, so it's unlikely we can say this is the case or not.
Wondering how many other tickets may have been affected. just my 2 cents.
si-ja
alphaseinor