Group Permissions: Limit users to posting interally #5058
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello Zammad Team,
You have an amazing product here - thanks for open sourcing it. It's been a pleasure to poke around in.
Overview of Proposed Feature
So far I've been evaluating it for a somewhat novel application, and I found a missing feature which is a blocker for me. Competing platforms like Zendesk and even open source competitors like osTicket have the ability to restrict users to only posting internally.
I wasn't able to find this feature in Zammad - the permissions system doesn't seem to dig in a very granular fashion into the functionality that's available. However, you have such a great system for distinguishing between internal/external correspondence. It's all there - so I figured it can't be too hard to build the feature.
The main problem I'm trying to solve is to give access to Agents that shouldn't be able to accidentally send external correspondence. Instead, the Agents are able to assist more senior Agents by creating drafts and internal comments on tickets, subject to group access. The senior Agents can then review and respond using their external access permissions.
I thought the implementation best into Group/Role access permissions, because it means that you can have some Agents with full access to some Groups, but only read or internal access on other Groups. So it adds more flexibility.
See below for a visual guide of what I've changed in this PR.
Role Permissions
There is a new item in the Role Permissions that allows you to select 'External' for a Group.
In this example, this role can post externally for tickets in the Users group but not the Random Group, where they are limited to internal.
Below you can see a Role can be created called 'Internal Agent' where you can configure what groups this Agent has access to. This allows you to setup a role where all access will be internal to every Group, perfect for what I'm after.
Then below you can see what a Limited User's access looks like in the Ticket Zoom overview. It disables the visual buttons to toggle tickets internal/externally, and by default any type of channel will be marked as internal correspondence.
What this PR doesn't address (yet)
creates_ticket_articles.rb
will be sufficient to cover a case where a User or a Role has 'full' permissions, it might still prevent them from posting externally becauseauthorise!(ticket, :external?)
doesn't allow. I've run out of testing time.Next Steps
It would be great if this feature was implemented. If it's not on the roadmap, I'd be interested in any advice on how to create it as a package/add-on. I haven't yet explored that because I wanted to see if there was genuine interest in merging it into the product.
Thanks for your time!