Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

Bug? Seeing Ticket Subjects of Other Departments Tickets

If a member of one department logs into OSTicket's agent panel, they cannot see tickets not assigned to their department, which is perfect.  However if they goto the Users tab and select a user, they can see the subjects for all tickets that user submitted, including ones to other departments.  Even though clicking on a ticket from another department will give an "Access Denied", the subjects of the tickets are still visible to non-department agents.  In the way I'm using OSTicket, this provides a problem, as all tickets need to be completely separated by department and not visible to any agents outside the department the ticket was issued to.

My thought is that for the agent panel user page (inside the "User Directory" tab), the info pulled from the sql database could be filtered to only pull ticket info for entries that have the same "dept_id" as the staff member logged into the agent panel.  Looking into it, I'm thinking a small change needs to be made to include/staff/templates/tickets.tmpl.php, on line #26:

if ($user)
    $where = 'WHERE ticket.user_id = '.db_input($user->getId());


adding an "AND" statement to the sql pull $where variable, for " ticket.dept_id" to equal the "dept_id" sql database field of the staff member?  This way only tickets with matching department IDs would be pulled to be displayed.  This is a bit more complicated than my skills, so I'm hoping something can help?  I'd appreciate any thoughts on this.

Many thanks in advance,
-OSTicket v1.9.12 on Ubuntu 14.04.2

Comments

  • edited November 2015
    If I'm not mistaken several users already reported security concerns regarding this and if I remember correctly this will be addressed with the next major version (1.10 - currently in development - do not use for productive environment!).

    Unfortunately I can't tell you what needs to be changed to fix this in the current version.
  • Thanks, sorry if I missed other comments on this, I looked around and didn't see anything about it.

    I actually did call the support number and was impressed to have someone answer right away and offer help.  She mentioned that she would forward the bug to the developers and that the new version (1.10) would have an option to disable the User Directory from certain departments.  This will work, when it comes out.

    In the meantime, I did find another post mentioning moving the User Directory to the Admin panel from the Agent panel.  For now, this is a usable work-around until the next version of OSTicket is released.  Here is where I found that:


    Thanks for the help, Chefkeks.  If I find a better fix, I'll post it here.
  • Great you found a solution for your issue and yes that support number is (during their business hours) not just there for nothing. Sounds like she (btw she is named Karen ;) ) did a good job :)

    Cheers,
    Michael
Sign In or Register to comment.