Discovered a bug today! I was assigned to a private issue on a repo that I do not have privileges for. As noted in #4103, I could view the issue, but I could not update it. Commenting (thus hitting https://pagure.io/fedora-infrastructure/issue/9246/update) resulted in HTTP 403.

If possible, the assignee should have all edit privileges on an issue (private or public) assigned to them that people added with "ticket" access have generally. This includes the ability to update private tickets as noted above, as well as editing ticket metadata/status/etc. Right now, it appears that all an assignee who doesn't have ticket access can do is comment (if the ticket is public, they can still view private tickets they are assigned to) and drop themselves as assignee.

A shorter version of what I'm trying to say: "ticket" permissions on a given issue should be the union of the assignee and users/groups granted "ticket" access in the repo settings.