Talk:SelfService/@comment-199.104.120.64-20150312172830
Jump to navigation
Jump to search
WIth using the SelfService it appends the ticket number at the end like this ... SelfService/Display.html?id=1503060004
As the owner of this ticket and a unprivileged user I can easily change the ticket number at the end and view, comment, reply on other tickets.
For instance if I change the id=1503060003 I can view that ticket even though it does not belong to the requestor.
What permission do I need to change to not allow this to happen? I only want the Requestor has sent in to see only have access to their tickets.