Validate the email adress of a new created user

  • Used Zammad version: 2.4
  • Used Zammad installation source: Docker images

Expected behavior:

  • When an user create their own account via web interface, the email address should be validated.

Actual behavior:

  • When an user create their own account via web interface, he can directly login to the organisation.

Steps to reproduce the behavior:

  • When domain based assignment and shared organisation is enabled for an organisation and users can create their own account via web interface, the user can create an account with a random email and the email is not validated. Now the user can see all tickets of the organisation.

E.g. The org has the domain exmaple.org, I can create any user like xyz@example.org. Now this user is able to see all other tickets of the org

If you use the REST call GET /api/v1/users/{id} you will receive a response with “verified” which has “false” per default. Maybe something is planned in the future?

2 Likes

This could be a security problem. If you don’t know about the fact a user can potentially get access to tickets which should not be shown to the user

I’m not sure I understand how requiring a new user to validate their email address changes what tickets a new user can see?

I also think, this isn’t that big of an issue. I this behavior is not wanted, just turn of the “shared organization” option.

But I guess what @scheeles tries to say is, if a company automatically add users with an E-Mail-address ending at @my-domain.com, than someone can go ahead an register with name@my-domain.com and can see all the tickets without verification if the user has access to the E-Mail-Address.

A verification E-Mail would make sure that the user at least has access to an E-Mail-Adress ending at @my-domain.com

But still you are not sure, if the colleague/employee should see all tickets. This probably depends on the type of clients you’re serving.

oh, of course. thanks for clearing that up @ecomsilio. Makes perfect sense now.

1 Like

That makes sense. This should get a feature request. I personally like the idea that a user creating himself an account has to verify the E-Email-Address before being able to post anything (or even view).

This might be DSGVO relevant too.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.