Support

Akeeba Ticket System

#24936 Allow visitor post tickets

Posted in ‘Akeeba Ticket System for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Ticket System version
n/a

Latest post by nicholas on Wednesday, 13 April 2016 10:48 CDT

Wednesday, 13 April 2016 10:27 CDT

4Bweb
Hello, congratulation for the hard job you're doing.
I need to allow to users (not registered) to open a ticket. That's possible in every ticket system I've tried.
On the page product is signalized that Public and Privet Tickets are possible so I suppose I haven't find the information to allow it.
I've also activated the add post by email functionality but it seems not work for who is not registered.
If someone is interested to a product or service and need to ask questions, how can we manage it?

Wednesday, 13 April 2016 10:48 CDT

nicholas
We have already written many times that this a feature we are not interested in implementing. It's dangerous.

All tickets are assigned to a Joomla! user account. Allowing guests to reply to tickets would mean that user ID 0 would be acceptable. That by itself is dangerous as it requires removing a sanity check and can lead to massive data corruption or worse (e.g. a user reading someone else's private posts). Sanity checks are put in place exactly to prevent this issues from happening.

Then we have the obvious issue of how the user could ever reply. There are three solutions, the dangerous, the stupid and the pointless.

The dangerous solution is automagically creating a new user account whenever an unknown email address is encountered in a new ticket. This is dangerous because:
  • Any spammer will come and post a new public ticket. At this point they have a valid user account on your site which had to be necessarily activated (otherwise the user would never be able to reply to his ticket without logging in).
  • The automatically created password is sent by email.
  • If you have enabled ticket creation by email and a user sends a ticket from an email address other than the one on their user account you have Yet Another User Account for the same person.
  • I CAN CREATE ARBITRARY USER ACCOUNTS ON YOUR SITE WITH JUST AN EMAIL ADDRESS. In other words I can use your site for social engineering attacks against other people.


Then there's the stupid solution: all you need to reply to a guest ticket is your email address. This is daft because email addresses are not secret by their nature. Therefore anyone can impersonate everyone else.

This leaves us with the pointless solution. Once you post a guest ticket a new, locked user account is created for you. An email is sent with an activation link and a temporary password. You have to first click on the activation link, then enter the temporary password, then enter a username, full name and a new password. Then you can reply. If you are paying attention that's a worse workflow than asking people to register for a free user account and THEN filing a free public ticket.

Since the only solution that makes sense is the pointless one which is equivalent to create account + post ticket we decided to not implement this feature. In short, we are not going to compromise the ticket system's privacy settings or the security of your site and we definitely won't waste time to implement what Joomla! already does very well.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!