Cases in Fogbugz have a ticket URL that provides read-only access to the correspondence in a case. This is sent by default with the automated email response when a case is opened. Tickets allow sharing of all the correspondence of a case without requiring a user account. Anyone with possession of a ticket URL can see correspondence on the case. This article provides information on how secure the tickets are, how to send tickets, and how to remove ticket access to a case.
The ticket for a case is a generated 16-character value. When combined with the case number, a ticket allows outside users to see certain parts and attributes of its case and any other cases opened by the same correspondent. Tickets used to be generated only for cases that are emailed into the system, but now they are generated for all cases.
The chance of a random outside user guessing a ticket value is 3616 to 1, which is about (7.959 * 1024) to 1. More specifically, there are 7,958,661,109,946,400,884,391,936 possible values for a given case. If someone tries to “brute force” access to a case, they would need millions of hits on the same case, which would be easily detected on servers.
Sending a Ticket
You can send a ticket URL using a snippet:
- Go to Avatar Menu > Snippets.
- Under Snippets For Everybody, click Create a New Snippet.
- In the Snippet field, type in your preferred name for the snippet.
- Put the ticket URL in the Replacement Text area.
- Click OK.
Removing Ticket Access to a Case
Ticket URLs can be removed from cases one at a time by using the default.asp endpoint below.
- Pass the case number and the ticket with an underscore (_) between them, and the command parameter
removeExternalAccess. See the example below.
Case Number: 1234
FogBugz Site address: http://example.fogbugz.com/
Removal URL: http://example.fogbugz.com/default.asp,?1234_42umo5hjc1h6vurl&command=removeExternalAccessOnce it is removed, there is no way to restore ticket access to a case.