Logged in user can see other users tickets

Hi! Great component, thank you!
I did find a security hole and i'm not sure if only i can see this.

Reproduction of the issue (localhost):
User 1 registered and logged in (in browser 1)
User 2 registered and logged in (in browser 2)

Each user submitted a ticket and in ticket list layout each can see only own tickets.
So good so far,

In ticket (detailed view) all looking good...BUT
If logged in user will just type in other user ticket id in the browser address line window - he will see ticket of someone else just as it is his own ticket, including all the privite information, e.g. username, email.

So in link like:
index.php?option=com_helpdeskpro&id=6&layout=default&view=ticket&Itemid=1312
only id number needs to be changed to see any ticket submited by anyone.

Is there a fix for this?
thank you!

Hi

What version of the extension you are using? We addressed it in version 1.4.0, the security released version which we released last week. Maybe you should update your site to that latest version ?

Tuan

Yes, i've just noticed 1.4.0 came out. I was using 1.3.0
I'll check if security problem is gone in new version and give feedback on this.
Thanks for promt reply!

OK. Thanks. I am sure that it is sorted in version 1.4.0 (1.4.0 also offer some other new nice features). But please check and report it back after you checking it

Regards,

Tuan

Confirmed. 1.4.0 has fixed security issues. All good!

Thanks for confirming .

Tuan

i have had this issue also
it started when we upgraded to 1.4.0 version
people can see each other tickets, but its only the users from the before the 1.4 patch was installed

my tickets volume is huge and moving to another ticket system is near impossible

can someone from helpdeskpro support please private massage me or email me

i have been getting ignored and a runaround
its been a while since i complained because support just blew me off
but it is a serious issue and cannot be ignored