Agent role permissions are ignored when there is only a single group


  • Used Zammad version: 3.6.0-1614608376.e938924d.bionic
  • Installation method (source, package, …): Debian
  • Operating system: Ubuntu 18.04
  • Database + version: MySQL 5.7
  • Elasticsearch version: ES 7.11.1
  • Browser + version: Firefox ESR (78.7.0)

Expected behavior:

  • Zammad should allow read-only access to agent tickets when only a single group is available.

Actual behavior:

  • When only a single group exists (or is enabled), role-based group access for Agent tickets are ignored and full access is granted.

Steps to reproduce the behavior:

  1. Create a new role (e.g. “Reader”) with “ticket > agent” enabled and “READ” and “OVERVIEW” checked for the “Users” group.
  2. Assign the new role to a new user (e.g. “Zammad Reader”).
  3. Assign the new role to the “Open” overview to allow the users to see ticket lists.
  4. Login as the new user
  5. Navigate to the “Overviews” section and select a ticket
  6. Observe how the ticket can be freely edited (full access)
  7. As an admin, create a second group (e.g. “Test Group”)
  8. Check the Permissions for the “Zammad Reader” user and observe how there is now an explicit “FULL” permission ticked for the “Users” group in addition to the “Reader” role.
  9. Uncheck the “FULL” permission
  10. Now the Zammad Reader correctly only has read-only access to tickets.

In summary: When there is only one group, Zammad behaves as if there is a hidden “FULL” group permission on user accounts which have the Agent permission enabled. This overwrites the explicit role based group permission. Only after creating a second group to “reveal” the implicit access control, can you correct the situation.

Note: I raised this as a bug but it was closed and I was directed to post my comments here instead. I believe this to be a bug.

I small side note as this topic did move on github, we accepted this as a bug and will address this in the future.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.