If you have enabled the permission model in Zammad, your agents should update to Zammad 5.2.2. Note that due to the nature of this issue, it is important to test that your updated Zammad version does not cause problems with the permissions model. To check if your Zammad installation is affected, run the following command in the ticketing system: $ python3 -m unittest -v 'import zammad; zammad.Ticket.rm("some-ticket");' If the command returns any error, then your Zammad installation is affected by the issue described in this article. To update to the latest Zammad version, contact your Zammad support team and ask them to install the update for you. Zammad 5.2.2 fixes this problem and does not cause any other issues with the permissions model.
What is the permissions model?
Zammad’s permissions model allows Zammad to dynamically configure access control policies based on the content of the ticket. The settings that are relevant to this issue are "view", "edit", and "delete". These permissions can depend on whether a ticket is opened by an agent within a group, assigned to a group, or created for an agent.
In order for your agents to be able to update the tickets in their queue, they need these permissions. However, if your Zammad version is affected by this issue, then some of your agents will not have these permissions.
Issues with Zammad’s permission model
The permission model in Zammad 5.2.2 allows agents to delete tickets from their own customer account. This is a design change that was made to allow the agent to more easily remove themselves from the ticketing system if they are no longer working on a ticket. In this case, the agent would be deleting their own customer account and not somebody else’s.
This is not an issue as long as the agent always operates in their own customer account and never into someone else’s; however, there may be some issues with how this affects other users if they have not updated Zammad to the latest version 5.2.2 yet. If you have any unintended consequences in your environment, please contact your Zammad support team and ask them to update your installation for you (if applicable).
Zammad and the permissions model
If you have enabled the permission model in Zammad, your agents should update to Zammad 5.2.2. Note that due to the nature of this issue, it is important to test that your updated Zammad version does not cause problems with the permissions model. To check if your Zammad installation is affected, run the following command in the ticketing system: $ python3 -m unittest -v 'import zammad; zammad.Ticket.rm("some-ticket");' If the command returns any error, then your Zammad installation is affected by the issue described in this article. To update to the latest Zammad version, contact your Zammad support team and ask them to install the update for you. Zammad 5.2.2 fixes this problem and does not cause any other issues with the permissions model.
Zammad installation steps
In order to update your Zammad installation, follow the steps below:
1. Log in to your Zammad account and go to Settings.
2. Scroll down until you find the Security tab and click on it.
3. Enable the Permissions model - this is important for agents that have enabled this feature in Zammad. After enabling the permissions model, a pop-up should appear asking you to update your Zantam installation. Click "update now" and your Zammad version will be updated.
Zammad 5.2.2 – Protecting Users from False Tickets
Zammad 5.2.2 fixes a bug where agents can add false tickets to the zammad database, which would prevent other agents from seeing the ticket. This was due to the cost of checking permissions in Zammad not being accurate enough, so the agent could add a ticket without needing to check if they had permission.
Timeline
Published on: 09/27/2022 23:15:00 UTC
Last modified on: 09/29/2022 14:00:00 UTC