osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now
Bug? Seeing Ticket Subjects of Other Departments Tickets
If a member of one department logs into OSTicket's agent panel, they cannot see tickets not assigned to their department, which is perfect. However if they goto the Users tab and select a user, they can see the subjects for all tickets that user submitted, including ones to other departments. Even though clicking on a ticket from another department will give an "Access Denied", the subjects of the tickets are still visible to non-department agents. In the way I'm using OSTicket, this provides a problem, as all tickets need to be completely separated by department and not visible to any agents outside the department the ticket was issued to.
My thought is that for the agent panel user page (inside the "User Directory" tab), the info pulled from the sql database could be filtered to only pull ticket info for entries that have the same "dept_id" as the staff member logged into the agent panel. Looking into it, I'm thinking a small change needs to be made to include/staff/templates/tickets.tmpl.php, on line #26:
$where = 'WHERE ticket.user_id = '.db_input($user->getId());
adding an "AND" statement to the sql pull $where variable, for " ticket.dept_id" to equal the "dept_id" sql database field of the staff member? This way only tickets with matching department IDs would be pulled to be displayed. This is a bit more complicated than my skills, so I'm hoping something can help? I'd appreciate any thoughts on this.
Many thanks in advance,
-OSTicket v1.9.12 on Ubuntu 14.04.2