Hi,
Customers can see other customer's request which poses a security/information issue. People sending IT requests are able to see HR requests if they edit the number of the issue in a link, for example: link.to./servicedesk/customer/portal/180 <- if I change this to 179 as a customer I get to see another ticket.
I tried the following:
The following settings are applied:
Project settings > Access > People and Access:
Private - Only admins and people with internal access can search for, view and comment on this project.
Project settings > Access > Customer Permissions:
Customers can search for other customers within their organizations.
Product settings > Configuration > No, don't share email requests with the customer's organization. Requests sent from the portal will not be shared unless the customer selects otherwise
Effect:
User CANNOT see other requests - which is desirable, however they cannot search for ANY user in the "include users" field. We see "No users found" in the field.
If I change this setting:
Project settings > Access > People and Access:
Open - Anyone with internal access to the organization can search for, view and comment on this project.
Effect:
User CAN see other requests - which is NOT desirable, however they can search for ANY user in the organization.
Optimal scenario:
Users CANNOT see the requests from others BUT can include ANY user in the organization.
Does anyone have an idea how to approach this?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.