Disable sign up in login page

4 Kommentare

  • Max McCal
    Zendesk Product Manager

    Kean Kee Chong

    Thanks for this message. I believe I can see the logic in what you're saying but I wanted to attempt to restate what you've said so that I'm sure I'm not missing anything. 

    You'd like to disable sign up, but you would still like individual end users to be able to CC other people. I think this is straightforward enough, but I'm curious whether that is the only aspect of  turning the "Anyone can submit tickets" setting off that you find objectionable. That is a complex setting with lots of ramifications, so I thought it was worth checking.

    I don't believe there's a security issue in allowing people to sign up –– end users are not able to take actions that we might consider risky, so generally it's pretty safe to allow anyone to create a user name and password. Also, if users can CC others, then those users are effectively signed up as well. This means that if you allow CCs, you are effectively allowing your end users to sign up anyone else. It's not exactly the same, but it leads to similar risks.

    What are some of your concerns with having a sign up option? Are we missing something here about what they would be able to do?

    I think it makes sense to be able to do what you suggest, and it is certainly something we should examine, so I appreciate that. I only ask you to clarify, because I worry we may be missing something here.

  • Kean Kee Chong

    In fact, we only want to let our dedicated user to login and submit ticket and at same time can cc the respective person but unfortunately, due to the limitation of the system, we need to allow that" anyone can submit tickets" in order to let other person cc-ed in the email. 

    In our case, we only want to allow the registered user to submit a ticket but not the others.

    I would suggest if we could disable to sign up from the login page, it will be great. At least we won't give the opportunity to allow other non-approve contacts to sign up in our helpdesk.

    I also suggest if you could re-look into the idea as follows, I think this is great feature that everybody want and most of the system have this kind of function. 
    Approve user sign-up to Help Center – Zendesk help

  • CJ Johnson

    I would also love to see this, I had to put in place some seriously absurd levels of workaround to prevent any user from being able to make an account. It is absolutely a security hole that has been raised to Zendesk (by me three months ago at the very least, but I can't be the only one) and continues to persist. 

    "I don't believe there's a security issue in allowing people to sign up –– end users are not able to take actions that we might consider risky, so generally it's pretty safe to allow anyone to create a user name and password." 

     I've sent in emails about the myriad of ways and places that a signed in user can get information that an anonymous user cannot. I followed the guide provided by Zendesk to disable end-user sign ups, which does nothing about the problem this person is posting about, the "Sign up here" option still being displayed. Imagine my surprise when I followed the guide to disable allowing anyone to sign up, only to have someone send me a mildly threatening message showing my full name and avatar, that was intentionally not present in any email messages they received on the ticket, which was displayed on the "Requests" page only signed in end users can access.  Fortunately, I've got a super common name and wasn't using a personal picture, but the risk was real and I was following every step Zendesk provided that was supposed to prevent this:
    You can see my last comment on the article points out that this allows allows voting, another security hole. 

    I have since taken two additional steps: 
    1. Remove all code from the Requests page, so even if someone manages to sign in, they can't see their requests and thus agent names and avatars. 

    2. Set up a dead-end O-Auth for end-users that redirects them to an error page if they try to access the sign in page. This would not work for this user's situation, since they still need to allow approved users to sign in, but works for anyone who needs to allow anyone to submit a ticket, but does not want anyone to be able to make an end-user account. 

  • Max McCal
    Zendesk Product Manager

    Hi, CJ – 

    First of all, my apologies for not responding sooner. I really wanted to spend some time on this reply and took longer than I anticipated. I really appreciate this information. I have a couple follow up questions, but I'm going to ask them privately in a ticket, because they get into account specifics, and I feel that would be better done privately. 

    That said, I absolutely want to get to the bottom of how a user could get that information. No one should be able to access the requests page unless they are the requester of a ticket, and even once they have accessed it, they should only be able to see your name if you're assigned to the ticket or a CC, not your avatar. Your avatar may be visible in an Article or a Community post, however. 

    Regardless, I will follow up with you directly, and I want to apologize for my earlier statement, clearly some information was leaked, and we need to get to the bottom of this.


Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.

Powered by Zendesk