Hey guys,
I think the following is somewhat inconsistent - let me know what you think:
-
If a customer creates a ticket, he will always be able to access it regardless of the current group.
-
If an agent creates ticket a ticket for himself (let’s assume he set his own user as ticket customer), he will only be able to access the ticket, if he has permissions on the tickets current group.
Issue:
We just encountered the case that an agent used a ticket template to create a ticket for himself in a group which he is not allowed to access.
I think because he set himself as customer, he should be allowed to access his own ticket regardless of the group.
In terms of permissions, I would say there should be no difference wether a ticket customer is in fact a customer or an agent.
Code:
I tried to implement this by adding “return true if customer_id == user.id” to /opt/zammad/app/models/ticket/checks_access.rb for pure access (ignoring such things as permissions for overviews or the search function at the moment).
def access?(user, access)
# check customer
if user.permissions?('ticket.customer')
# access ok if its own ticket
return true if customer_id == user.id
# check organization ticket access
return false if organization_id.blank?
return false if user.organization_id.blank?
return false if organization_id != user.organization_id
return organization.shared?
end
# check agent
# access if requestor is owner
return true if owner_id == user.id
# Charburner: access if requesting agent is customer of the ticket
return true if customer_id == user.id
# access if requestor is in group
user.group_access?(group.id, access)
end
From my point of view this would improve the usability for environments where internal tickets (agents are customers) are required.