VTB (visual task board) pop-up card editor shows journal fields (Comments and Work notes) based off the parent record write ACLs instead of the board's table ACLs.
Steps to Reproduce
Edit the write ACL on incident.comments to pass only for the admin role.
Impersonate a user without the admin role (itil user).
Go to a list of incidents, right-click the column header of a choice field such as priority, and choose Show in Visual Task Board.
Click one of the cards.
Note that both the Comments and Qork notes journal fields appear even though the user cannot write to the Comments field.
You can also reproduce this issue by editing the task.work_notes ACLs and allowing the user to pass the incident.work_notes. When going to the VTB card, the Work notes journal field input will not display even though you can see it on the record.
This issue is under review. To receive notifications when more information is available, subscribe to this Known Error article by clicking the Subscribe button at the top right of the article. If you are able to upgrade, review the Fixed In or Intended Fix Version fields to determine whether any versions have a planned or permanent fix.
Related Problem: PRB1276007