Andreas Eichert

Here is an example on how you can modify the props component in the new_request_page.hbs to remove values from the dropdown:

const props = {
    requestForm: {
        ...{{json new_request_form}},
        ticket_form_field: {
            ...{{json new_request_form.ticket_form_field}},
            options: {{json new_request_form.ticket_form_field.options}}.filter(option => {
                // Define the values for "Issue" and "Feedback" to keep
                const valuesToKeep = [
                    20621452630546, // Issue
                    21326079695122  // Feedback
                ];
                return valuesToKeep.includes(option.value);
            })
        }
    },
    newRequestPath: {{json (page_path 'new_request')}},
    parentId: {{json parent.id}},
    parentIdPath: {{json parent.url}},
    locale: {{json help_center.locale}},
    baseLocale: {{json help_center.base_locale}},
    hasAtMentions: {{json help_center.at_mentions_enabled}},
    userRole: {{json user.role}},
    brandId: {{json brand.id}},
    wysiwyg: true,
    answerBotModal: {
        answerBot: {{json answer_bot}},
        hasRequestManagement: {{json help_center.request_management_enabled}},
        isSignedIn: {{json signed_in}},
        helpCenterPath: {{json (page_path 'help_center')}},
        requestsPath: {{json (page_path 'requests')}},
        requestPath: {{json (page_path 'request' id=answer_bot.request_id)}}
    },
};

You can log the object to find the values you want to keep and add additional logic based on which the dropdown is being filtered.,

// Log the requestForm JSON object to the console
console.log("new_request_form:", props.requestForm);

I'm not an expert but this implementation seems to be not in line with general security requirements if you can just generate a JWT token from the frontend on an unauthenticated endpoint based on submitting external_id, email, and name.

Looks to me like you can easily impersonate other users.