to cut a long story short: we have a privacy issue and need to disable auto-complete in the recipient field and haven’t figured out how yet.
Now the long version.
We are currently using Zammad 6.4.1 or already 6.5 on the test system.
We have a large Zammad installation that is used by about 20 customers with many agents. The customer areas are defined by roles without mutual reading permissions, so there is no insight into the tickets of other roles. However, Zammad apparently only uses one user database in which the reading rights cannot be restricted by roles. For reasons of the GDPR, this is problematic in our case, as personal data (email, name) of contacts of other customers can be viewed in various places.
I have tried a number of approaches with automatisms, triggers and the GDPR job function and none of them solve the problem.
Instead, I have been able to hide most of the critical areas by making CSS adjustments (I know that security through obscurity is not the optimal solution).
Here’s an excerpt from my custom.css if anyone is curious:
However, there is one last point that causes problems: if you enter a few letters in a mail and then press Enter, a name including email is still completed. The whole case is currently stuck on this little detail. I couldn’t prevent this with CSS, probably the Javascript would have to be edited here.
How can I deactivate the function?
Does anyone know which Javascript files are responsible? How can I overwrite and reload them?
I encountered a similar issue where the recipient autocomplete wasn’t functioning as expected. After some troubleshooting, I found that restarting the server resolved the problem. It seems that the internal database needed a refresh to properly supply the pre-loaded suggestions when typing a customer name.
Sorry but what? You’re “hosting” a Zammad instance for several different customers that are on the same installation? Are you okay?
Agents by default have access to all user info. Even if you’d be able to achieve what you’re trying to do, you’d still have a data leak due to inproper configurations.
Zammad has one user database as you correctly found out. You cannot restrict it. Customer users should NEVER have any agent permissions. If they do, you’re creating data leaks.
This is not an application issue, but a configuration issue.
I’ve just realized that I’ve mixed up a few terms. This can indeed be read differently than I intended.
We have a large Zammad installation that is used by about 20 institutions(not customers) with many agents. The institutions’(not customers) areas are defined by roles without mutual reading permissions, so there is no insight into the tickets of other roles. However, Zammad apparently only uses one user database in which the reading rights cannot be restricted by roles. For reasons of the GDPR, this is problematic in our case, as personal data (email, name) of contacts of other institutions’ customers can be viewed in various places.
This should be the correct version, sorry.
Customer users should NEVER have any agent permissions. If they do, you’re creating data leaks.
The actual customers have no access to the system at all and they don’t have agent permissions. That would be way worse…
Is there a possibility to overwrite the affected JS files?
Technically yes, but it’s security by obscurity and thus doesn’t make any sense to do.
If your institutions are legally divided and cannot share customer information (as example), then you have to strictly divide the user base in several instances.
That’s right. But in the short term, it would help us to modify the files. We will have to find a better solution eventually.
Which files are responsible for the auto-complete? Would it be sufficient to edit or delete a few lines of code?