I was wondering why internal articles can be retrieived via JSON service at the endpoint /api/v1/ticket_articles/by_ticket/. Aren’t internal articles meant to be “private”?
Hey @fluca1978 ,
if you are authenticated as an agent it should display internal articles. As a customer it should not. If you have any evidence of a security issue, you should not share it in the community → security@zammad.com
Thanks!
I’m authenticated as an agent, but I thought that internal articles where visibile (via API) only to the same user, not another one (even if agent).
I don’t think this is a security issue, rather my misunderstanding of the concept of internal.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.