Anyone gets access to other tickets via customer.pl?!

Moderator: crythias

Post Reply
TitovLab
Znuny newbie
Posts: 7
Joined: 18 Apr 2015, 15:17
Znuny Version: 5.0.17
Real Name: Alexander Titov
Company: IT PC help

Anyone gets access to other tickets via customer.pl?!

Post by TitovLab »

Hi!

I found a strange thing: if the Ticket::Frontend::CustomerDisableCompanyTicketAccess option is disabled in SysConfig, which is the default, any customer via customer.pl can access all the tickets in the organization. To do that he must change the ticket number in the browser address bar when viewing any of his tickets: /otrs/customer.pl?Action=CustomerTicketZoom;TicketNumber=not_my_ticketnumber

The most interesting thing is that none of the ways recommended by manuals fixes the situation:
1. Enabling groups for customers and specifying a specific group in CustomerFrontend::Module###CustomerTicketOverview for CompanyTickets to restrict access to the CompanyTickets section in your account. CompanyTickets disappears from the menu, but bypassing with the change of the URL works fine.
2. Enabling CustomerUserExcludePrimaryCustomerID => 1 in Config.pm. Yes, there are only their tickets in their personal account, but again, bypassing with the change of URL works again.
In any case, whatever one may say, anyone gets access to someone else's information.
Has anyone tried to fix it?
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: Anyone gets access to other tickets via customer.pl?!

Post by jojo »

There is nothing to fix. A customer can access all tickets with the same customerID unless the Company Feature is disabled
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
Post Reply