Agent as customer cannot access own tickets?

Hey guys,

I think the following is somewhat inconsistent - let me know what you think:

  • If a customer creates a ticket, he will always be able to access it regardless of the current group.

  • If an agent creates ticket a ticket for himself (let’s assume he set his own user as ticket customer), he will only be able to access the ticket, if he has permissions on the tickets current group.

We just encountered the case that an agent used a ticket template to create a ticket for himself in a group which he is not allowed to access.
I think because he set himself as customer, he should be allowed to access his own ticket regardless of the group.
In terms of permissions, I would say there should be no difference wether a ticket customer is in fact a customer or an agent.

I tried to implement this by adding “return true if customer_id ==” to /opt/zammad/app/models/ticket/checks_access.rb for pure access (ignoring such things as permissions for overviews or the search function at the moment).

def access?(user, access)

  # check customer
  if user.permissions?('ticket.customer')

    # access ok if its own ticket
    return true if customer_id ==

    # check organization ticket access
    return false if organization_id.blank?
    return false if user.organization_id.blank?
    return false if organization_id != user.organization_id
    return organization.shared?

  # check agent

  # access if requestor is owner
  return true if owner_id ==

  # Charburner: access if requesting agent is customer of the ticket
  return true if customer_id ==

  # access if requestor is in group
  user.group_access?(, access)

From my point of view this would improve the usability for environments where internal tickets (agents are customers) are required.


I extended this code fiddling and added conditions in


to ensure that my agents are always allowed to read/search/overview their own tickets, which means, they either created the ticket (e.g. created_by_id == or they are customer of the the ticket (e.g. customer_id ==

So the customer of a ticket can be changed but the initial creator of the ticket can still access it.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.