Akeeba Ticket System

Friday, 19 August 2016 07:59 CDT

MOLEDesign

Emails are being sent to admin when tickets are updated, but no emails are going to users.

I have had a couple of ticket raised, updated and closed and not a single communication to their email

Looking at my Mandrill system, I see all the notifications to admin, bit not a single email has gone to the user who raised the ticket

I don't particularly want to go down the router of sending emails from my account, much preferring the system to handle all communication with users (through Mandrill for full tracking to make sure the site has all comms logged)

Have I missed a setting somewhere, I cant find anything obvious, and the plugin for sending emails is activate

Thanks

Friday, 19 August 2016 08:03 CDT

MOLEDesign

Sorry.. figured it out. The ticket system they have used is the GUEST one, which are not actually raised by registered user, but guests. I only ask for email as a custom field, so the system doesnt actually know where to send these

Would be nice if I could actually assign the relevant users in the system as the owner / creators (the tickets raised were login issue ones)

However just me being a muppet, sorry

Friday, 19 August 2016 08:45 CDT

nicholas

Akeeba Ticket System is explicitly designed to NOT let Guest users file tickets. It is insecure. Anyone who is NOT logged in to your site (either a person or a malicious bot written by a hacker) can see all tickets filed by ALL guest users and read them, download any attachments (posted by the user or yourself), edit posts, close them, or post as a user. There is absolutely no security or accountability. Asking people to submit their email address in a custom field is even worse because now their email address is posted on the open Internet.

And no, not having a public link to the page listing all the tickets isn't much of a solution. It's trivial to access index.php?option=com_ats&view=Categories to list all categories or index.php?option=com_ats&view=Ticket&id=1 (and monotonically increase the ID) to read all tickets. Remember that if you can get the URL to a ticket the only thing standing between you and the ticket is Joomla's access control. You have nullified that by allowing guest users to post tickets, therefore you have NO SECURITY WHATSOEVER FOR YOUR GUEST TICKETS. Sorry for the shouting, I cannot stress enough how bad this is for security and privacy.

All things considered, it's better having people register a free to your site before filing a ticket (in a category locked to the Registered group, NOT Guest!) or using a Facebook page (where at least there's a modicum of accountability).

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 19 August 2016 10:25 CDT

MOLEDesign

That makes perfect sense

I have since moved the PUBLIC side of ATS to simple captcha protected forms, and only private tickets can be raised going forwards

Thanks for the detailed clarification of your reasoning though.

Friday, 19 August 2016 12:28 CDT

nicholas

You're welcome! Since this is a public ticket I wanted to make sure anyone bumping on it wouldn't think that guest tickets are a good idea. More so when the security / privacy issues are not obvious :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 18 September 2016 17:20 CDT

System Task

system

This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Edited by on 2016-09-18 17:20 CDT

Support