- Used Zammad version: 3.6.0-1614608376.e938924d.bionic
- Installation method (source, package, …): Debian
- Operating system: Ubuntu 18.04
- Database + version: MySQL 5.7
- Elasticsearch version: ES 7.11.1
- Browser + version: Firefox ESR (78.7.0)
- Zammad should allow read-only access to agent tickets when only a single group is available.
- When only a single group exists (or is enabled), role-based group access for Agent tickets are ignored and full access is granted.
Steps to reproduce the behavior:
- Create a new role (e.g. “Reader”) with “ticket > agent” enabled and “READ” and “OVERVIEW” checked for the “Users” group.
- Assign the new role to a new user (e.g. “Zammad Reader”).
- Assign the new role to the “Open” overview to allow the users to see ticket lists.
- Login as the new user
- Navigate to the “Overviews” section and select a ticket
- Observe how the ticket can be freely edited (full access)
- As an admin, create a second group (e.g. “Test Group”)
- Check the Permissions for the “Zammad Reader” user and observe how there is now an explicit “FULL” permission ticked for the “Users” group in addition to the “Reader” role.
- Uncheck the “FULL” permission
- Now the Zammad Reader correctly only has read-only access to tickets.
In summary: When there is only one group, Zammad behaves as if there is a hidden “FULL” group permission on user accounts which have the Agent permission enabled. This overwrites the explicit role based group permission. Only after creating a second group to “reveal” the implicit access control, can you correct the situation.
Note: I raised this as a bug but it was closed and I was directed to post my comments here instead. I believe this to be a bug.