User can see other people tickets

Gavin_Henry1 · July 16, 2005, 6:43pm

Dear List,

I have granted the CreateTicket and SeeQueue to the group everyone in a
particular queue.

I have also let a certain user login by giving them a password.

Now when I log in as them, I can see all the tickets that they have created,
they can reply to their own tickets and create a new one.

This is perfect and what I would expect.

However, if they put in a ticket number that is not their own, in the Go To
box, they can see that ticket (which is in the same queue).

Should they be able to see a ticket that is not their own?

Should I just create a new queue specifically for them i.e:

their-company-support

And handle it that way?

I would have thought that you should only be able to select a ticket that you
created, no?

Thanks,

Gavin.

Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 742001
E ghenry@suretecsystems.com

Open Source. Open Solutions™.

http://www.suretecsystems.com/

Phil_Homewood3 · July 19, 2005, 3:52am

Gavin Henry wrote:

However, if they put in a ticket number that is not their own, in the Go To
box, they can see that ticket (which is in the same queue).

Should they be able to see a ticket that is not their own?

Not unless you give them the right to do so…

I would have thought that you should only be able to select a ticket that you
created, no?

If that’s how your rights are set up, yes. Perhaps your
Everyone (or (Un)Privileged) group has some rights it shouldn’t
have, either globally or at the queue level?

Gavin_Henry1 · July 19, 2005, 9:44am

> Gavin Henry wrote: >> However, if they put in a ticket number that is not their own, in the Go >> To >> box, they can see that ticket (which is in the same queue). >> >> Should they be able to see a ticket that is not their own? > > Not unless you give them the right to do so...

I have set no rights globally, the only rights I have set relate to the
only two queues we have.

The only group given rights (except a staff group) is everyone, which have:

CreateTicket
ReplyToTicket
SeeQueue

That’s it.

If I enable an automatically created user to log in, they can “Go To
Ticket” and put in ticket #1 etc. and see tickets that are not theirs.

Most however, do say “Permission Denied”, but some don’t.

I would have thought that you should only be able to select a ticket
that you
created, no?

If that’s how your rights are set up, yes. Perhaps your
Everyone (or (Un)Privileged) group has some rights it shouldn’t
have, either globally or at the queue level?

See above.

Phil_Homewood3 · July 21, 2005, 2:18am

Gavin Henry wrote:

If I enable an automatically created user to log in, they can “Go To
Ticket” and put in ticket #1 etc. and see tickets that are not theirs.

Most however, do say “Permission Denied”, but some don’t.

ok, so what do the “some” have in common that the “most” don’t?