Customers are able to send messages as another customer


  • Used Zammad version: 3.6.0
  • Used Zammad installation source: package
  • Operating system: CentOS 7
  • Browser + version: Chrome 88

Expected behavior:

  • Customers should never be able to send messages as another customer.

Actual behavior:

  • One of our users found a way to post messages from another user. He did the following:
    (There has to be a Ticket with ‘pending reminder’ as status)
  1. The customer_one opens a Ticket of another user customer_two (he can see it, since it’s a shared organization).
  2. This ticket is in state ‘pending reminder’ so he is able to change the pending time (which itself is a bug if you ask me, but that is not, what this is about). → So he does change the date.
  3. In addition, he wrote a small text in the “note box”.
  4. As soon he confirms with “send” the message gets posted in this ticket BUT as the customer_two account (who owns this ticket). The date is changing too.

==> So customer_one was able to successfully write a note as customer_two while changing the pending reminder date.

Steps to reproduce the behavior:

  • create a shared organization
  • create customer_one and customer_two as user accounts
  • add the new user accounts to your shared organization
  • create a pending reminder ticket for customer_two

Then just open the ticket as customer_one and modify the pending reminder date. In addition, write a note in the box (web interface). Now check as whom the message was registered.

It will be customer_two and NOT customer_one as we expected!

(And the date gets changed too… which is also wrong. But already known here → Pending till can be changed by customer via web interface · Issue #2671 · zammad/zammad · GitHub)

Regarding the pending reminder it’s a known bug already.

Regarding the other “issue” that a customer can send “as” another customer.
I think you’re not talking about “on behalf” functionality but actually two customers from the same organization. If so, you may want to check “shared” option of organization which allows exactly this.

Customers are allowed to see the tickets of other members and, of course, also add notes to it.
See: Organizations — Zammad documentation

Yes, he can send notes into another persons Ticket. It’s clear, that he can do it within a shared organization.
My trouble is… as soon he is adding a note, it is always send as the Ticket owner. Not himself.

Please provide configuration details of the roles affected by the customer and of an affected ticket.
Other wise this is impossible to reproduce.

Okay… lets see

All the base info is provided already.

He is an agent and a customer the same time. A feature introduced in 3.5 (–> Release Notes | Zammad 3.5 and there the second point)

So he has two roles. One is a general customer role. And one as an Agent:


He has full access to his own application, and he is able to open Tickets for the standard “Support” team. Nothing else.

The Ticket itself is assigned to a different department again. As you see up there, he has no right to open it as an agent. So he opens the Ticket as “customer”. He is able to write in the ticket with said “customer” permissions, since the ticket owner is a user of the same shared organization.

But everything he adds gets added as the ticket owner. He basically is an “imposter”.

Please share the detail configuration of each affected role.

He has this role:

Here is nothing checked except what I posted already.

And he also has this role:

But also here is nothing else checked then you see already here.

He just has these two roles.

The whole role configuration please.
Please don’t get me wrong, I’d like to double tab.

How would you wish to get the config? :slight_smile:

Pictures? Texts? Can I get them over API and send you the output?

Sorry, I can’t use Discourse for sharing these screenshots. How can I send them properly to you?

I’m sorry, I can’t accept alternative communication channels.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.