I was evaluating your software and came to a very disturbing issue for the deleting the request. This is the case:

If a support rep who does not have permission to delete or even see any other groups request, is still can do this by typing it in the browser address section. i.e. if a support rep wants to delete a request such as xxx, can simply type

 http://............/WorkOrder.do?woMode=deleteWO&woID=xxx&

and this will delete the request number xxx from the database. This is true for even viewing other requests and can simply type the id number in the address and it show up. Is this something that if I purchase the original version will go away or this a bug? This can be a very hazardous issue if the contacts can also do this from their end. Would like to hear your view on this. Thanks in advance.

J.R.