Problem

There is a problem with contacts being able to view tickets by URL. When creating a new contact, there exists an option for them to "only view tickets assigned to them." I assume this means that they are not authorized to view anyone elses tickets. When a tiket is not assigned to them, by this logic, they cannot see other tickets, nor can they search for them. However, then they change the URL, with a different ticket ID, then they are able to see it. If I supply the ticket ID referenced in the URL, then I am able to see the ticket and make changes. This does not seem like the authorization control is working correctly. With the testing I did, this only seems to exist within the same "Account". I tried coming in as a different account and I am unable to see the referenced ticket in the URL.

http://<servername>/WorkOrder.do?woMode=viewWO&woID=<requestid>;

Reproducing

Create an account and create several requests. Then create contacts for that account, with the option allow them only to see their own requests. First see if you can search for that request, which you should not be able to. Then try to view the request by URL, and you should be able to see.

Then login as another contact from a different company and you should not be able to see.