User is able to access admin user tickets module using the URL of a Admin user

Moderator: crythias

Post Reply
grathi
Znuny newbie
Posts: 38
Joined: 14 Jan 2015, 10:21
Znuny Version: 2.3.4

User is able to access admin user tickets module using the URL of a Admin user

Post by grathi »

I have taken two different browser and logged in as a user and Admin Respectively , but when I have taken URL of Admin and put into the User Browser that all the rights of admin get user
grathi
Znuny newbie
Posts: 38
Joined: 14 Jan 2015, 10:21
Znuny Version: 2.3.4

Re: User is able to access admin user tickets module using the URL of a Admin user

Post by grathi »

to reproduce it
1.Login with valid user credentials - User-B (User have a Admin role) .
2. Click on App link , now click on “Ticketing System” link , move mouse over click on "Ticket" tab & click on "Search" link.
3. Now copy the complete URL & paste this URL in another Browser, where User-A already login with User Roles.
4. Observe .
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: User is able to access admin user tickets module using the URL of a Admin user

Post by jojo »

I don't know what
. Click on App link , now click on “Ticketing System” link
links you are reffering to.

But I guess that you copied some session ID in the URL
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
grathi
Znuny newbie
Posts: 38
Joined: 14 Jan 2015, 10:21
Znuny Version: 2.3.4

Re: User is able to access admin user tickets module using the URL of a Admin user

Post by grathi »

:http://10.10.1.80/otrs/customer.plActio ... DMuaoVUWbV

this is the url
and how i can hide the session id
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: User is able to access admin user tickets module using the URL of a Admin user

Post by jojo »

This is a customer session, not an agent session. The session URL typically only shows up if freshly created or no cookies are allowed. Please ensure that you are also using latest vrsion of OTRS
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
grathi
Znuny newbie
Posts: 38
Joined: 14 Jan 2015, 10:21
Znuny Version: 2.3.4

Re: User is able to access admin user tickets module using the URL of a Admin user

Post by grathi »

we are using version 3.3.6
grathi
Znuny newbie
Posts: 38
Joined: 14 Jan 2015, 10:21
Znuny Version: 2.3.4

Re: User is able to access admin user tickets module using the URL of a Admin user

Post by grathi »

This is the url of user with admin role
grathi
Znuny newbie
Posts: 38
Joined: 14 Jan 2015, 10:21
Znuny Version: 2.3.4

Re: User is able to access admin user tickets module using the URL of a Admin user

Post by grathi »

hi Jojo,
Please help me ....
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: User is able to access admin user tickets module using the URL of a Admin user

Post by crythias »

go to 3.3.latest and then report back.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
ruzzetto

Re: User is able to access admin user tickets module using the URL of a Admin user

Post by ruzzetto »

hi,
i noticed the same behaviour with the latest versione (5.0.19) too. Copy paste admin session from chrome to firefox and see the same session.....
RStraub
Znuny guru
Posts: 2210
Joined: 13 Mar 2014, 09:16
Znuny Version: 6.0.14
Real Name: Rolf Straub

Re: User is able to access admin user tickets module using the URL of a Admin user

Post by RStraub »

Well yes, but that's intended ?

The Session in the URL is a fallback if the cookie cannot be read/set properly. If you then copy the session to a new window/browser you of course keep the session.

What would you guys expect?
Currently using: OTRS 6.0.14 -- MariaDB -- Ubuntu 16 LTS
Post Reply