Thanks for the great reply!
On May 24, 2012, at 7:32 PM, Alex Vandiver wrote: > On Thu, 2012-05-24 at 14:51 -0700, Chris Hiestand wrote: >> Firstly, I think that in general, you do not need to worry much about >> CSRF if the request method is GET. > > Secondly, RT has historically not differentiated between GET parameters > and POST parameters; it is quite possible to alter a ticket's status by > appending a "&Status=resolved" to the appropriate URL. Ah, that was my mistake. Are "write" GET parameters removed in RT 4?
