Hi!
I found a strange thing: if the Ticket::Frontend::CustomerDisableCompanyTicketAccess option is disabled in SysConfig, which is the default, any customer via customer.pl can access all the tickets in the organization. To do that he must change the ticket number in the browser address bar when viewing any of his tickets: /otrs/customer.pl?Action=CustomerTicketZoom;TicketNumber=not_my_ticketnumber
The most interesting thing is that none of the ways recommended by manuals fixes the situation:
1. Enabling groups for customers and specifying a specific group in CustomerFrontend::Module###CustomerTicketOverview for CompanyTickets to restrict access to the CompanyTickets section in your account. CompanyTickets disappears from the menu, but bypassing with the change of the URL works fine.
2. Enabling CustomerUserExcludePrimaryCustomerID => 1 in Config.pm. Yes, there are only their tickets in their personal account, but again, bypassing with the change of URL works again.
In any case, whatever one may say, anyone gets access to someone else's information.
Has anyone tried to fix it?
Anyone gets access to other tickets via customer.pl?!
Moderator: crythias
Re: Anyone gets access to other tickets via customer.pl?!
There is nothing to fix. A customer can access all tickets with the same customerID unless the Company Feature is disabled
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com