Question

User can change Requester field when creating new ticket

  • 27 July 2021
  • 1 reply
  • 93 views

Hello,

 

We are near releasing Freshservice, and I recently discovered a security flaw. Users can change the requester's field to email. This is risky because a user can impersonate another during ticket submission. 

I discovered this script below, but it does not work all the time. There are multiple times the browser must be refreshed before the requester field becomes read-only.  Can your developer team please make it an option to make this field read-only? 


​<script type="text/javascript">
jQuery(document).ready(function(){

jQuery("#helpdesk_ticket_email").prop( "disabled", true );

});
</script>


1 reply

Userlevel 4
Badge +6

Hi @Green-leafs,


Good day!

The script you mentioned may not work if you are on the Self-service Portal v2. Please try the below script to disable the email fields in the incident and service request forms if you are on portal v2.

<script>
// To hide Email field in Incident Form
jQuery(document).ready(function(){
setInterval(function() {
if(window.location.href.endsWith('support/tickets/new')) {
jQuery(".ticket-field.default_requester").prop("disabled", true);
}
}, 200)
})
//To disable the Email field in Service Item Form
jQuery(document).on('SideModalOpen', function() {
setTimeout(function() {
jQuery("#requester_email").prop("disabled", true);
})
});
</script>

We hope this helps!

Regards,
Sanofar

Team Freshservice

Reply