(Imported from GiHub)
Infos:
- Used Zammad version: 2.6.x
- Installation method (source, package, …): package
- Operating system:
- Database + version:
- Elasticsearch version:
- Browser + version: Firefox
Expected behavior:
- If e.g. an unwanted SPAM user is set as inactive and has customer roles removed (also has no other role) he should not be able to create tickets via e-mail or the web form.
Actual behavior:
- The opposite. Any user ever registered to the Zammad system can always open tickets via web-form or if API is used and the Zammad Admin can’t do anything against it if the mentioned channels are used. This is horrible behaviour and makes any web form approach basically unusable.
- Mail can at least be blocked via Mail filter rules so the spammer e-mail is added. This is still very inconvenient but at least works to block users.
Steps to reproduce the behavior:
- Create new ticket via e-mail or web-form (external web forms that use the API are also affected).
- Set the user to inactive and remove his customer role.
- Try creating a new ticket using the aforementioned channels. Still works.
Yes I’m sure this is a bug and no feature request or a general question