Customers should never be able to send messages as another customer.
Actual behavior:
One of our users found a way to post messages from another user. He did the following:
(There has to be a Ticket with ‘pending reminder’ as status)
The customer_one opens a Ticket of another user customer_two (he can see it, since it’s a shared organization).
This ticket is in state ‘pending reminder’ so he is able to change the pending time (which itself is a bug if you ask me, but that is not, what this is about). → So he does change the date.
In addition, he wrote a small text in the “note box”.
As soon he confirms with “send” the message gets posted in this ticket BUT as the customer_two account (who owns this ticket). The date is changing too.
==> So customer_one was able to successfully write a note as customer_two while changing the pending reminder date.
Steps to reproduce the behavior:
create a shared organization
create customer_one and customer_two as user accounts
add the new user accounts to your shared organization
create a pending reminder ticket for customer_two
Then just open the ticket as customer_one and modify the pending reminder date. In addition, write a note in the box (web interface). Now check as whom the message was registered.
It will be customer_two and NOT customer_one as we expected!
Regarding the pending reminder it’s a known bug already.
Regarding the other “issue” that a customer can send “as” another customer.
I think you’re not talking about “on behalf” functionality but actually two customers from the same organization. If so, you may want to check “shared” option of organization which allows exactly this.
Yes, he can send notes into another persons Ticket. It’s clear, that he can do it within a shared organization.
My trouble is… as soon he is adding a note, it is always send as the Ticket owner. Not himself.
He is an agent and a customer the same time. A feature introduced in 3.5 (–> Release Notes | Zammad 3.5 and there the second point)
So he has two roles. One is a general customer role. And one as an Agent:
He has full access to his own application, and he is able to open Tickets for the standard “Support” team. Nothing else.
The Ticket itself is assigned to a different department again. As you see up there, he has no right to open it as an agent. So he opens the Ticket as “customer”. He is able to write in the ticket with said “customer” permissions, since the ticket owner is a user of the same shared organization.
But everything he adds gets added as the ticket owner. He basically is an “imposter”.