• Resolved Chris Dillon

    (@cdillon27)


    Is there a way to restrict viewing a particular ticket to the user and the agent instead of leaving them public?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Mike Howard

    (@mikeyhoward1977)

    Hi,

    I’m afraid I’m not sure what you mean here. Could you provide an example/scenario for me?

    Thanks
    Mike

    Chris Dillon

    (@cdillon27)

    Hi Mike,

    Thanks for the prompt reply.

    For example, when a customer provides some private information like a username/password or a license key, or if they simply don’t want their URL exposed.

    Granted, the ticket URL is not published but it’s still discoverable. Here’s a screenshot of a ticket that’s visible even though no one is logged in.
    https://www.screencast.com/t/zkthwEu2PN

    Plugin Author Mike Howard

    (@mikeyhoward1977)

    Great question…

    We want to support guest submissions as much as possible as the creation of user accounts within WordPress is not always desirable.

    A ticket’s URL should not be discoverable easily. Customers would need a URL that includes a unique key in order to access their ticket if they are not logged in.

    However, there are most certainly circumstances where this is not desirable either.

    I have made some changes to address this in the short term. If Guest submissions are disabled within settings, a visitor accessing their ticket with the key will be presented with a login form and will not be able to access the ticket without being authenticated by WP. This may change to an alternative validation method in the future.

    That update will be released later today.

    Longer term we will have additional options for sensitive data. I do not think we will get to a point whereby you can define that a single agent only has access to a ticket, but we will have options to only allow agents to access tickets from specific companies only. i.e. Company X’s tickets can only be managed by Agent Group Y.

    We are also reviewing options to remove/mask sensitive data within tickets and make it only available within the admin screen. Any solution for this however would likely be released via an extension rather than be included in core.

    Does that answer and address your question?

    Also, when you state that the URL is discoverable I would love for you to share more on this. If you could email me details it would be appreciated. You can use this form rather than post on here.

    Thanks for trying out KB Support

    Chris Dillon

    (@cdillon27)

    Thanks for addressing it quickly. Your short term change sound like it will work.

    I meant agents (plural) not just the agent assigned, as in private between the user and anyone in support.

    The link in the email contains a secure key but the link in the ticket manager does not.
    http://example.com/ticket-manager/?ticket=16
    http://example.com/ticket-manager/?ticket=18
    http://example.com/ticket-manager/?ticket=124
    Any hacker could write a script to discover those.

    Plugin Author Mike Howard

    (@mikeyhoward1977)

    Ah ok, I now better understand 🙂

    I have included a dependency for the visitor to be logged in if using the URLs per above.

    So from next release a customer can access a ticket with the secure key without being logged in (unless disable guest submissions is enabled).

    If they access via a URL formatted as per your reply, they will need to be logged in.

    Great catch – appreciate your feedback

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘restrict access’ is closed to new replies.