The unprivileged user has currently the following rights: - ReplyToTicket - ShowTicket - ModifySelf But the user is still able to view *all* tickts from *any* user by changing the ticket-id in the request url. How can I fix this security issue, so that the user can only see his own tickts?