Customers can access tickets that are not owned by them because of linked ticket

Infos:

  • Used Zammad version: 3.4
  • Used Zammad installation source: package
  • Operating system: Debian
  • Browser + version: Firefox

Expected behavior:

  • A linked ticket where customer is not involved should not be accessible by the customer/organisation in the web UI in the search results

Actual behavior:

  • When you Split a ticket
  • And in the new ticket replace the customer by e.g. an internal person
  • The two tickets are automtically linked by ZAMMAD
  • But if the original user logs-in he cannot see the ticket in overviews (fine!)
  • But when he searches for text that might be also in the new ticket, he can see it and open it and it is accessible.

So it seems that “linked” tickets are always accessible by all of the customers that are involved in any of the linked tickets?

Is this intended behavior?

Steps to reproduce the behavior:

See “Actual behavior” for reproducing it.

There are many reasons to link tickets. And if in all tickets the customer (or organisation) is the same it is ok that everybody can access the linked tickets. But there are maybe many other situations where you want to link tickets from different customers.

The use case for my question is: we are thinking of how we can handle for example “request for changes”? We planned to do the following:

  • someone has an issue and creates a ticket
  • We identity it as an RFE
  • So we split the ticket and create a new ticket of type e.g. “RFE”
  • In the new ticket we replace the customer with an internal object person like the Product Owner
  • So we can now handle it seperately, and the customer cannot see it.
  • It might happen that also other tickets from other customers will be linked to such RFE tickets

But we do not want to make this accessible to all linked tickets customers.

Does this makes sense?
Or can i configure if customers also can access linked tickets somehow.

Best Regards and thanks for the really great tool!
Marco.

No this is not true.
Please check if the customer in question is member of an organization and if the user is, ensure that shared organization is set to “no”.

(see: https://admin-docs.zammad.org/en/latest/manage/organizations.html )

If that still doesn’t help, please double tab you didn’t provide agent permissions to said user.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.