first: We use Zammad every day and I made some plugins for our company (like the dashboard for the tv, example see: https://i.ibb.co/dkH25rk/stat.png).
But now we saw a security problem (in my case it is). All agents have the rights to editing the customers because they should add some new informations if they know it (like telephone number or mobile number and some other informations).
If I activate the checkbox in the role settings on “agents” named “user” to manage the users, they can edit users over the ticket or use the gear on the footer. Problem: If this is activated, the agents can give herself admin-rights, if he click on the checkbox “admin”. So the user is admin right now. We use LDAP, so after an hour the admin-status is reseted, but people they don’t use LDAP have a problem now.
If i deactivate the “user” section, they only allowed to create new user, but can’t manage exisiting users. I believe, a many companies want, that they employees can mange existing users too, but can’t manage there status. (because agent is a lower status as admin)
I hope everyone knows, what I mean and can help or fix that.
Please be careful about wordings like “Security Bug”, because they can quickly cause quite some wind.
Also, if you find security issues, we’d appreciate responsible disclosures instead of public notices.
Anyway. The “user management” permission you’re talking about is, is the permission admin.user.
This naturally means that you can update user information, their password, roles and even take over the user session if required. Normal agents should never receive those permissions unless needed.
A normal agent can update all relevant customer accounts if needed excluding roles, passwords and taking over sessions.
They still can, just use the search function on the upper left!
Edit: I’ve been changing this topics title (removed “Security-Bug”) and changed the category to “technical assistance”, because this is what this post is.
Seems like the user in question is an agent.
You can’t update other agent accounts without admin.user permission. The documentation currently does miss this hint. This behaviour is on purpose.
This however does not affect normal customer accounts.
