When an user create their own account via web interface, the email address should be validated.
Actual behavior:
When an user create their own account via web interface, he can directly login to the organisation.
Steps to reproduce the behavior:
When domain based assignment and shared organisation is enabled for an organisation and users can create their own account via web interface, the user can create an account with a random email and the email is not validated. Now the user can see all tickets of the organisation.
E.g. The org has the domain exmaple.org, I can create any user like xyz@example.org. Now this user is able to see all other tickets of the org
If you use the REST call GET /api/v1/users/{id} you will receive a response with “verified” which has “false” per default. Maybe something is planned in the future?
This could be a security problem. If you don’t know about the fact a user can potentially get access to tickets which should not be shown to the user
I also think, this isn’t that big of an issue. I this behavior is not wanted, just turn of the “shared organization” option.
But I guess what @scheeles tries to say is, if a company automatically add users with an E-Mail-address ending at @my-domain.com, than someone can go ahead an register with name@my-domain.com and can see all the tickets without verification if the user has access to the E-Mail-Address.
A verification E-Mail would make sure that the user at least has access to an E-Mail-Adress ending at @my-domain.com
But still you are not sure, if the colleague/employee should see all tickets. This probably depends on the type of clients you’re serving.
That makes sense. This should get a feature request. I personally like the idea that a user creating himself an account has to verify the E-Email-Address before being able to post anything (or even view).
