Disable sign up in login page


  • CJ Johnson

    I would also love to see this, I had to put in place some seriously absurd levels of workaround to prevent any user from being able to make an account. It is absolutely a security hole that has been raised to Zendesk (by me three months ago at the very least, but I can't be the only one) and continues to persist. 

    "I don't believe there's a security issue in allowing people to sign up –– end users are not able to take actions that we might consider risky, so generally it's pretty safe to allow anyone to create a user name and password." 

     I've sent in emails about the myriad of ways and places that a signed in user can get information that an anonymous user cannot. I followed the guide provided by Zendesk to disable end-user sign ups, which does nothing about the problem this person is posting about, the "Sign up here" option still being displayed. Imagine my surprise when I followed the guide to disable allowing anyone to sign up, only to have someone send me a mildly threatening message showing my full name and avatar, that was intentionally not present in any email messages they received on the ticket, which was displayed on the "Requests" page only signed in end users can access.  Fortunately, I've got a super common name and wasn't using a personal picture, but the risk was real and I was following every step Zendesk provided that was supposed to prevent this:
    You can see my last comment on the article points out that this allows allows voting, another security hole. 

    I have since taken two additional steps: 
    1. Remove all code from the Requests page, so even if someone manages to sign in, they can't see their requests and thus agent names and avatars. 

    2. Set up a dead-end O-Auth for end-users that redirects them to an error page if they try to access the sign in page. This would not work for this user's situation, since they still need to allow approved users to sign in, but works for anyone who needs to allow anyone to submit a ticket, but does not want anyone to be able to make an end-user account. 

  • Jay McCormack

    I admittedly have not read closely each of the above comments but we have the need to edit the login pane as well to remove the sign up option and here's our scenario:

    We want to "lock down" our knowledgetbase. We do not want "just anybody" to be able to log in to our knowledgebase and see all of our warts. In a competitive market it is not uncommon for competitors to want to get access to any sort of information on their rivals and use it against them in a sales scenario. 

    But, at the same time, we want to allow "anyone to log a ticket" as that really in innocuous. Additionally, since we have user segments set up we need to require all of our users to log in before using the knowledgebase.

    Additionally, and not to be "that guy" but the general verbiage at the bottom of the pane that mentions that "If you've never logged a ticket before..." is a bit generic and sloppy so we'd really like to be able to modify that to our liking. 

    I THOUGHT I'd be able to edit this in GUIDE but it apparently is not there. 

    I'd be more than happy to talk to any Zendesk product team members to give more details on all of this.

  • Kean Kee Chong

    In fact, we only want to let our dedicated user to login and submit ticket and at same time can cc the respective person but unfortunately, due to the limitation of the system, we need to allow that" anyone can submit tickets" in order to let other person cc-ed in the email. 

    In our case, we only want to allow the registered user to submit a ticket but not the others.

    I would suggest if we could disable to sign up from the login page, it will be great. At least we won't give the opportunity to allow other non-approve contacts to sign up in our helpdesk.

    I also suggest if you could re-look into the idea as follows, I think this is great feature that everybody want and most of the system have this kind of function. 
    Approve user sign-up to Help Center – Zendesk help

  • Max McCal
    Zendesk Product Manager

    Hi, CJ – 

    First of all, my apologies for not responding sooner. I really wanted to spend some time on this reply and took longer than I anticipated. I really appreciate this information. I have a couple follow up questions, but I'm going to ask them privately in a ticket, because they get into account specifics, and I feel that would be better done privately. 

    That said, I absolutely want to get to the bottom of how a user could get that information. No one should be able to access the requests page unless they are the requester of a ticket, and even once they have accessed it, they should only be able to see your name if you're assigned to the ticket or a CC, not your avatar. Your avatar may be visible in an Article or a Community post, however. 

    Regardless, I will follow up with you directly, and I want to apologize for my earlier statement, clearly some information was leaked, and we need to get to the bottom of this.

  • Stephen Belleau
    Community Moderator

    Jay McCormack Were you able to get in touch with someone? What you're asking to do should be possible with user segments. https://support.zendesk.com/hc/en-us/articles/4408824005914

    Some features vary depending on which plan you are on. Definitely reach out to support for help with that, or post in the Guide section https://support.zendesk.com/hc/en-us/community/topics/1260801308530-Feedback-Help-Center-Guide-

  • Max McCal
    Zendesk Product Manager


    Thanks for this message. I believe I can see the logic in what you're saying but I wanted to attempt to restate what you've said so that I'm sure I'm not missing anything. 

    You'd like to disable sign up, but you would still like individual end users to be able to CC other people. I think this is straightforward enough, but I'm curious whether that is the only aspect of  turning the "Anyone can submit tickets" setting off that you find objectionable. That is a complex setting with lots of ramifications, so I thought it was worth checking.

    I don't believe there's a security issue in allowing people to sign up –– end users are not able to take actions that we might consider risky, so generally it's pretty safe to allow anyone to create a user name and password. Also, if users can CC others, then those users are effectively signed up as well. This means that if you allow CCs, you are effectively allowing your end users to sign up anyone else. It's not exactly the same, but it leads to similar risks.

    What are some of your concerns with having a sign up option? Are we missing something here about what they would be able to do?

    I think it makes sense to be able to do what you suggest, and it is certainly something we should examine, so I appreciate that. I only ask you to clarify, because I worry we may be missing something here.


Please sign in to leave a comment.

Powered by Zendesk