For example, ordinary users are allowed (in frontend) to edit summary of the ticket, its description, required deposit (up to sum of preexpeditures), (pre)expeditures (before the ticket was (pre)accepted) and so on. In the API, the ticket is read-only to everyone but admins.
Also, the user should be allowed to see at least list of usernames (without realnames, mails and other private info).