I've been hacking on making a setup with these properties:
- customers can view all the issues anyone in their company has issued
- customers and internal devs can communicate via issue comments
- multiple customer companies cannot see each other's issues (so private stack traces are private)
- customers can VIEW but not EDIT issue fields
So far I was able to get #1-3 working with groups, roles and the workflow editor to automatically set the "visible to" field during issue creation.
The primary issue is the latter one... I have turned many fields "private" and that's great. But for the public fields, it seems in my testing that a 'customer' user not only can VIEW but can also EDIT that field. Meaning they can mess with the 'fixed-in-version' field which isn't really allowed.
What can be done to prevent this?