Public Access to Cases


Follow

Overview

 

This article provides information about the security measures in place for all tickets, and the steps on how to send tickets, and remove public ticket access to cases.

 


Content

 

 


Information

 

Cases in Fogbugz contain ticket links/URLs that provide read-only access to the correspondence within those cases. These links are sent through the automated email response whenever cases are opened. Tickets allow the sharing of all the correspondence transpiring within cases without requiring a user account, which means anyone with the link can view the communications. 

 

Ticket Security

 

The ticket for a case is a system-generated 16-character value. When a ticket is combined with a case number, a ticket allows outside users to view certain parts and attributes of its case and any other cases opened by the same correspondent. Tickets used to be generated only for cases that are emailed through the system; however, they are now generated for all existing cases.

The chance of a random outside user guessing a ticket value is 3616 to 1, which is about (7.959 x 1024) to 1. More specifically, for a given case, there are 7,958,661,109,946,400,884,391,936 possible values. If someone tries to access a case with brute force, they will need millions of hits on the same case, which would be easily detected on the servers.

 

back to top


Process

 

Sending Tickets

You can send a ticket URL using a snippet:
  1. Go to Avatar Menu > Snippets:

    mceclip3.png

  2. Under Snippets For Everybody, click Create a New Snippet:

    mceclip0.png

  3. In the Snippet field, type in your preferred name for the snippet. 

  4. Put the ticket URL in the Replacement Text field.

  5. Click OK to save: 

    mceclip0.png

  6. Go to Snippets and select the snippet you've just created:

    mceclip1.png

  7. If everything has been configured correctly, you will be given a link with the following format:

    https://example.fogbugz.com/default.asp?311_09esqan8dpe96com

 

back to top


Removing Public Access to Individual Cases

Public access URLs can be removed from cases, one case at a time. To do so:

  1. Use the default.asp endpoint.

  2. Put the case number and ticket with an underscore ( _ ) between them.

  3. Add the command parameter removeExternalAccess. 

Example:

Case Number: 1234
Ticket: 42umo5hjc1h6vurl
FogBugz Site address: https://example.fogbugz.com/
Removal URL:

http://example.fogbugz.com/default.asp?1234_42umo5hjc1h6vurl&command=removeExternalAccess
IMPORTANT: Once the public access is removed, there is no way to restore public access to a case. 

 

back to top


Removing Access to All Cases

If you need to remove public access to all cases:

  1. Update the autoreply template for incoming email. Remove the public case link by removing both {ticket} and {ticketurl} in the autoreply template:

    1.png

    Removing {ticket} and {ticketurl} will update FogBugz's autoreply messages to stop sending the public case links for new cases. 

  2. Contact us to assist you in disabling the public access links.
Note: Disabling public access links can only be executed from the backend. For On-Premises administrators, we can provide a script to remove the access. For On-Demand accounts, the request must come from an administrator of the account.

 

back to top