Overview
This article provides information about the security measures in place for all tickets, and the steps on how to send tickets, and remove public ticket access to cases.
Content
Information
Cases in Fogbugz contain ticket links/URLs that provide read-only access to the correspondence within those cases. These links are sent through the automated email response whenever cases are opened. Tickets allow the sharing of all the correspondence transpiring within cases without requiring a user account, which means anyone with the link can view the communications.
Ticket Security
The ticket for a case is a system-generated 16-character value. When a ticket is combined with a case number, a ticket allows outside users to view certain parts and attributes of its case and any other cases opened by the same correspondent. Tickets used to be generated only for cases that are emailed through the system; however, they are now generated for all existing cases.
The chance of a random outside user guessing a ticket value is 3616 to 1, which is about (7.959 x 1024) to 1. More specifically, for a given case, there are 7,958,661,109,946,400,884,391,936 possible values. If someone tries to access a case with brute force, they will need millions of hits on the same case, which would be easily detected on the servers.
Process
Sending Tickets
-
Go to Avatar Menu > Snippets:
-
Under Snippets For Everybody, click Create a New Snippet:
-
In the Snippet field, type in your preferred name for the snippet.
-
Put the ticket URL in the Replacement Text field.
-
Click OK to save:
-
Go to Snippets and select the snippet you've just created:
-
If everything has been configured correctly, you will be given a link with the following format:
https://example.fogbugz.com/default.asp?311_09esqan8dpe96com
Removing Public Access to Individual Cases
Public access URLs can be removed from cases, one case at a time. To do so:
-
Use the
default.asp
endpoint. -
Put the case number and ticket with an underscore ( _ ) between them.
-
Add the command parameter
removeExternalAccess
.
Example: Case Number: 1234 http://example.fogbugz.com/default.asp?1234_42umo5hjc1h6vurl&command=removeExternalAccess |
Removing Access to All Cases
If you need to remove public access to all cases:
-
Update the autoreply template for incoming email. Remove the public case link by removing both {ticket} and {ticketurl} in the autoreply template:
Removing {ticket} and {ticketurl} will update FogBugz's autoreply messages to stop sending the public case links for new cases.
- Contact us to assist you in disabling the public access links.