Security doubt with Comany Tickets and Customer Groups

[fmordhorst]

Hello.

I was looking for a way to restrict customers to see only their own tickets and a customer manager to be able to see all tickets from same Company in the customer web interface. I could make this work following the post "CustomerID/CustomerIDs/Customer Groups", however I found out that the change doesn't protect the access if the regular user knows the URL for access Company Tickets content (/otrs/customer.pl?Action=CustomerTicketOverView;Subaction=CompanyTickets). This just hides the button from the web interface for customers.
Also, if the regular user gets to know the ticket ID from another user in the same Company, it will get access as well, using the right URL (/otrs/customer.pl?Action=CustomerTicketZoom;TicketID=15).

Is this an expected behavior or is this something to be corrected? If this is expected, is there a way to block this access, using the direct URL for the regular user?

OTRS version is 3.0.11.

Please let me know if i didn't make myself clear.

Regards.
Filipe Mordhorst

[crythias]

It seems you would be correct with regard to all of the above.

[fmordhorst]

It seems you would be correct with regard to all of the above.

So, you think it's expected or is this really a security issue?

Any ideas on how we could block that?

[jojo]

thats how the frontend was designed. there is no extra config for hiding company tickets for users with the same company id

[fmordhorst]

thats how the frontend was designed. there is no extra config for hiding company tickets for users with the same company id

Do you have any idea of how to deny this access, even if it needs some changes in direct in the code?

[crythias]

If it's a specific person you want to hide, change that person's customer ID and generic agent on the tickets to retroactively adjust. Now you'll need to adjust the customer_ids for the department admin.
If you want to do a cartesian hide (everyone from everyone), you'll have to do the same thing, but managing that customer_ids is going to be a mess.

[fmordhorst]

I think there should be an option for disable this access once you activate it. Is there a way to ask for this?

Crythias, just as a suggestion, maybe you should comment this on your original post, because I'm sure most peopel will have the wrong idea that the access to the regular user is blocked at all when they make the changes.

I will try to do it using Apache rewrite rules, to avoid access using direct URL. Let's see what happen.

In the mean time, if someone have any ideas on how I could put a code in the customer web interface, to don't allow access to Company Tickets, if the user is not part of Customer Grupo "ABC", please let me know.

Thanks

[fmordhorst]

I gave up trying to block the access using Apache because just now I realized that using the search button the regular users still can find and access all tickets, doing a simple * search.

Please, I need a solution for this to go live with OTRS, as this is not acceptable in our environment and clients.

Maybe using ACLs this will be possible?

Any help is welcome.

Thanks.

[crythias]

customers shouldn't be able to see anything that they're not a member of, and will see all that they're a member of.

[fmordhorst]

I got the idea about the actual design and this is exaclty what I need to change. This is not the right way to implement this in my point of view. What I ask myself with this situation is what is the purpose of letting you hide the button, but let all the information the button displays, free to consult using other paths, like a simple search.

Anyway, I was looking at Kernel/Modules/CustomerTicketOverView.pm and looking for a way to put a filter in there. If the customer doesn't belong do customer group "Company_Manager", for example, it wouldn't allow. Unfortunately, programming is far beyond my knowledge. If could give me some guidance it would be wonderful.

What I wanted is exactly what is available in Ticket -> Frontend::Customer::ModuleRegistration for defining groups to allow access for the module as whole, no just for the Navigation Bar, but for my bad luck, Company Tickets is a subaction of the module, and this option is not available.
Block access to a subaction basead on a group would do the trick.

Thanks.

[crythias]

Turn off search, then.

[fmordhorst]

I already did that for customer groups other then "Customer Manager".

But I still need help in putting a filter direct in the code, as I stated in my last reply.

Thanks.