Hello,
Maybe this has happened to anyone else or it's been discused but I have not been able to find it through the discussions.
I'll try to explain what happens to us the best I can (difficult to explain, and even more difficult as I'm not english speaker):
We have an OSticket installation that I'll call "A".
There's a 3rd party OSTicket installation that I'll call "B".
An user has a ticket opened in B, and is not happy with the information recerived through e-mails from the agents of B.
He or she, decides to reply to that ticket message, putting another e-mail adress in the TO: of the message, as this user knows that he can have support too in that e-mail adress. And replies to both, the original OSticket installation we call B, and to our e-mail adress that creates tickets in A.
What happens in A, is that the e-mail received doesn't create a new ticket: it adds that information to an existing ticket (with different ticket number), and puts the sender as the owner of the ticket.
The big problem here is that the new owner of the existing ticket could read the information from the ticket that was previously owned by another user if the access is through the the web... and there can be personal information.
We think that the A OSticket might find the message ID, in the message, and if that messageID exist, then it adds the information to the ticket that has that message ID too...
Let us know if we can solve that or if it's planned to add to the messages an OSticket installation ID in future releases. This has happened to us three times in one year with different users.
Best regards,
Rosa
