Customer can see tickets from other customers

Hi Guys

I don’t know if this is intended, but a user with the role customer (the default one, that is created when installing Zammad) can see all the other tickets, even if they are outside of his organization.

Infos:

  • Used Zammad version: 4.0.x
  • Used Zammad installation type: package
  • Operating system: Edit: Debian 10
  • Browser + version: Chrome 94.0.4606.71

Expected behavior:

  • User with a customer role can only see his own tickets. When he uses the search he only gets results from his own tickets.

Actual behavior:

  • When the user types * in the search field and hits enter he gets a list with all the tickets from his organization. If he types some information that is contained in tickets outside of his organization, then he can also gets results from tickets of other organisations.

Steps to reproduce the behavior:

  • See actual behavior.

Is this the intended behavior of Zammad and if yes, how can I restrict the users with the role customer to only see his own tickets.

You should update to Zammad 5.0.1 asap - you’re prune to security issues.


I tried to reproduce your above mentioned behavior on a current 5.0.1 and can’t reproduce that.
I’m glad, because above would be everything but a responsible disclosure.

Check your users permissions if the issue persists on Zammad 5.x because then you got something configured wrong.

I upgraded to 4.1 and still have this issue. When I try to upgrade to 5.0.1 I have a problem that says something like “Login failed. Have you checked your connexion info and completed your verification step”. I have my Zammad in German so, the message that I get is this:

image

I have tried to manually change the attribute verified to true in the rails console, but still can’t get it to work.

Ok I’ve seen that this issue is known and a solution is documented in this thread: Login failed after upgrade to 5.0

I will try again later and see if the issue is still there.

I upgraded Zammad to 5.0.1, but the problem was still there. I searched a little and found out that I had set the “shared organization” attribute to yes in each organization… Zammad wasn’t the problem all along.

1 Like