[rt-users] User able to view, comment, reply to tickets not belonging to themselves
Michael Jablonski
jab at xmission.com
Thu Mar 12 18:41:21 EDT 2015
Hello everyone,
I currently have RT 4.2.9 installed. I have the ability for our customers to log in and view their open and resolved tickets. This all works great and they can comment, reply and change the status on their tickets. However my issue is this: in the URL "domain.tld/SelfService/Display.html?id= 1503120001 ". After the id= it displays the ticket number.
If I am a cleaver user I can easily understand the ticketing number and change it to 1503110001 and see the ticket that belongs to someone else, and they have the ability to comment, reply etc.
I am looking for a way to either
1) Not have the ticket number displayed in the URL
2) Not have the ability to view other tickets that do not belong to the user logged in
Thanks in advance if anyone can help me with this.
Michael Jab
XMission Support Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150312/8a6f4482/attachment.htm>
More information about the rt-users
mailing list