Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

No Ticket # Required for Client Login

Hello! This issue has been posted about in the forums before, but no resolutions from what I could see. I'm looking for a modification that will strip the necessity for clients to put in a ticket # when checking on their ticket status.

In other words, making the email the only field needed to validate the owner when checking tickets.

We use the ticket system on our internal network, so security is not an issue. I'm just trying to make the process easier for our staff.

I've tried changing almost everything in login.php, but no luck. Any advice would be much appreciated.

Comments

  • If security is an issue that does not matter...why don't use the /scp (which does not require ticket ID) with a well defined security policy over the tickets?
  • equisde;40627 said:
    If security is an issue that does not matter...why don't use the /scp (which does not require ticket ID) with a well defined security policy over the tickets?
    We don't want every staff member in our company to have administrator privileges over tickets. The client portal provides just enough access and the ability to reply to open tickets, which is what we need. Besides, if we opened SCP, they would still need to maintain a username/password, which is the same as an email/ticket number.

    All we need is to remove the requirement for a ticket number when logging in from the client side - surely it can't be that difficult, but every time I strip code I either get a server error or still get "invalid login" "authentication error"
  • That's why I wrote "well defined secuirty policy over tickets" You can define a group with all restrictions (cannot edit, close, transfer, delete, block...etc) but create tickets...and set the users that belongs to this group as Users instead Admins. This way the users belonging to this group will have the behavior you want.

    On the other hand, I don't think what you said ("...they would still need to maintain a username/password, which is the same as an email/ticket number") is completely true, cause they just need to remember a password, not every ticket number.

    I have osTicket implemented on a customer in the way that you want and it is working properly, with no source code modifications. But this is just a suggestion.
  • equisde;40640 said:
    On the other hand, I don't think what you said ("...they would still need to maintain a username/password, which is the same as an email/ticket number") is completely true, cause they just need to remember a password, not every ticket number.
    Thank you for the recommendation, but we are not looking to give everyone access to the SCP pages. Giving people a password would defeat the purpose of just making them input a ticket number on the "client portal".

    We just wanted to see if it's possible to remove the ticket number requirement on the client portal page. That's all.
  • Ok let's go...

    I did not tried it, so please make a copy of your files ..

    at include\client\login.inc.php

    Search comment out this line



    <td>Ticket ID:</td><td><input type=\"text\" name=\"lticket\" size=\"10\" value=\"<?php echo $t ?>\"></td>



    at include\class.client.php

    Search


    function lookup($id,$email=''){
    $sql='SELECT ticket_id,ticketID,name,email FROM '.TICKET_TABLE.' WHERE ticketID='.db_input($id);
    if($email){ //don't validate...using whatever is entered.
    $sql.=' AND email='.db_input($email);
    }




    Replace by


    function lookup($id,$email=''){
    $sql='SELECT ticket_id,ticketID,name,email FROM '.TICKET_TABLE.' WHERE email='.db_input($email);
    }



    This should get it working
  • Thank you for the attempt, but if I take out:

            if($email){ //don't validate...using whatever is entered.
    $sql.=' AND email='.db_input($email);


    I get a server error.

    If I leave that in, it won't let me log in with just the email address (it still says "authentication required").
  • You don't just need to take out these lines...you should change the WHERE clause as mentioned above:

    Before...

    ...WHERE ticketID='.db_input($id);


    After...


    ...WHERE email='.db_input($email);
  • I see what you're saying.

    However, I changed class.client to:

        function lookup($id,$email=''){
    $sql='SELECT ticket_id,ticketID,name,email FROM '.TICKET_TABLE.' email='.db_input($email);
    if($email){ //don't validate...using whatever is entered.
    $sql.=' AND email='.db_input($email);
    }


    And commented out the

    <td>Ticket ID:</td><td><input type=\"text\" name=\"lticket\" size=\"10\" value=\"<?php  echo $t ?>\"></td>


    And it's still throwing back an "authentication required" message :-/
  • Someone have an answer for this modification, please?
  • Your Answer!

    This is the solution that I have devised for this:

    class.ticket.php

    /*============== Static functions. Use Ticket::function(params); =============nolint*/
    function getIdByExtId($extId=null, $email=null) {

    $sql ='SELECT ticket_id FROM '.TICKET_TABLE.' ticket ';

    /*DYNAMIC SELECTION*/
    if($extId)
    $sql.=' WHERE ticketID='.db_input($extId);

    if($email && !$extId)
    $sql.=' WHERE email='.db_input($email);

    if($extId && $email)
    $sql.=' AND email='.db_input($email);

    if(($res=db_query($sql)) && db_num_rows($res))
    list($id)=db_fetch_row($res);


    return $id;
    }

    /*ADD THIS FUNCTION*/
    function getIdByEmail($email) {

    $sql ='SELECT ticket_id FROM '.TICKET_TABLE.' ticket ';
    $sql.='WHERE email='.db_input($email);

    if(($res=db_query($sql)) && db_num_rows($res))
    list($id)=db_fetch_row($res);

    return $id;
    }



    login.php


    if($_POST) {

    /*REMOVE trim($_POST['lticket']) and replace with '' */
    if(($user=Client::login('', trim($_POST['lemail']), null, $errors))) {
    //XXX: Ticket owner is assumed.
    @header('Location: tickets.php?id='.$user->getTicketID());
    require_once('tickets.php'); //Just in case of 'header already sent' error.
    exit;
    } elseif(!$errors['err']) {
    $errors['err'] = 'Authentication error - try again!';
    }
    }




    class.client.php (large change)


    /* static */ function login($ticketID, $email, $auth=null, &$errors=array()) {
    global $ost;


    $cfg = $ost->getConfig();
    $auth = trim($auth);
    $email = trim($email);
    /*REPLACE $ticketID = trim($ticketID) with the following */
    $ticketID = Ticket::getIdByEmail($email);


    # Only consider auth token for GET requests, and for GET requests,
    # REQUIRE the auth token
    $auto_login = ($_SERVER['REQUEST_METHOD'] == 'GET');

    //Check time for last max failed login attempt strike.
    if($_SESSION['_client']['laststrike']) {
    if((time()-$_SESSION['_client']['laststrike'])<$cfg->getClientLoginTimeout()) {
    $errors['login'] = 'Excessive failed login attempts';
    $errors['err'] = 'You\'ve reached maximum failed login attempts allowed. Try again later or <a href=\"open.php\">open a new ticket</a>';
    $_SESSION['_client']['laststrike'] = time(); //renew the strike.
    } else { //Timeout is over.
    //Reset the counter for next round of attempts after the timeout.
    $_SESSION['_client']['laststrike'] = null;
    $_SESSION['_client']['strikes'] = 0;
    }
    }

    if($auto_login && !$auth) {
    $errors['login'] = 'Invalid method';
    //remove !$ticketID ||
    }elseif(!Validator::is_email($email)){
    $errors['login'] = 'Valid Email Required';
    }

    //Bail out on error.
    if($errors) return false;


    /* REPLACE $ticketID with null */
    if(($ticket=Ticket::lookupByExtId(null, $email)) && $ticket->getId()) {
    //At this point we know the ticket ID is valid.
    //TODO: 1) Check how old the ticket is...3 months max?? 2) Must be the latest 5 tickets??
    //Check the email given.



    # Require auth token for automatic logins (GET METHOD).
    if (!strcasecmp($ticket->getEmail(), $email) && (!$auto_login || $auth === $ticket->getAuthToken())) {

    //valid match...create session goodies for the client.
    $user = new ClientSession($email,$ticket->getExtId());
    $_SESSION['_client'] = array(); //clear.
    $_SESSION['_client']['userID'] = $ticket->getEmail(); //Email
    $_SESSION['_client']['key'] = $ticket->getExtId(); //Ticket ID --acts as password when used with email. See above.
    $_SESSION['_client']['token'] = $user->getSessionToken();
    $_SESSION['TZ_OFFSET'] = $cfg->getTZoffset();
    $_SESSION['TZ_DST'] = $cfg->observeDaylightSaving();
    $user->refreshSession(); //set the hash.
    //Log login info...
    $msg=sprintf('%s/%s logged in [%s]', $ticket->getEmail(), $ticket->getExtId(), $_SERVER['REMOTE_ADDR']);
    $ost->logDebug('User login', $msg);

    //Regenerate session ID.
    $sid=session_id(); //Current session id.
    session_regenerate_id(TRUE); //get new ID.
    if(($session=$ost->getSession()) && is_object($session) && $sid!=session_id())
    $session->destroy($sid);

    return $user;

    }
    }

    //If we get to this point we know the login failed.
    $errors['login'] = 'Invalid login';
    $_SESSION['_client']['strikes']+=1;
    if(!$errors && $_SESSION['_client']['strikes']>$cfg->getClientMaxLogins()) {
    $errors['login'] = 'Access Denied';
    $errors['err'] = 'Forgot your login info? Please <a href=\"open.php\">open a new ticket</a>.';
    $_SESSION['_client']['laststrike'] = time();
    $alert='Excessive login attempts by a user.'.\"\n\".
    'Email: '.$email.\"\n\".'Ticket#: '.$ticketID.\"\n\".
    'IP: '.$_SERVER['REMOTE_ADDR'].\"\n\".'Time:'.date('M j, Y, g:i a T').\"\n\n\".
    'Attempts #'.$_SESSION['_client']['strikes'];
    $ost->logError('Excessive login attempts (user)', $alert, ($cfg->alertONLoginError()));
    } elseif($_SESSION['_client']['strikes']%2==0) { //Log every other failed login attempt as a warning.
    $alert='Email: '.$email.\"\n\".'Ticket #: '.$ticketID.\"\n\".'IP: '.$_SERVER['REMOTE_ADDR'].
    \"\n\".'TIME: '.date('M j, Y, g:i a T').\"\n\n\".'Attempts #'.$_SESSION['_client']['strikes'];
    $ost->logWarning('Failed login attempt (user)', $alert);
    }

    return false;
    }
    }



    login.inc.php

    comment out this line
    [HTML]
    Ticket ID:">
    [/HTML]


    Hopefully this will work for you.

    If not drop me an reply and I'll do a little investigation. This worked for me by the way.


    Cheers.
  • Could you reverse this to be able to pull up by just the ticket number? We use it for an internal request system and people need to check on tickets that others have entered.

    Thank you in advance for the help :)
  • Using 1.8 so I know the code might be a bit different.
  • 1.9.8.1 it's something in which I'm interested too.
Sign In or Register to comment.