Great question…
We want to support guest submissions as much as possible as the creation of user accounts within WordPress is not always desirable.
A ticket’s URL should not be discoverable easily. Customers would need a URL that includes a unique key in order to access their ticket if they are not logged in.
However, there are most certainly circumstances where this is not desirable either.
I have made some changes to address this in the short term. If Guest submissions are disabled within settings, a visitor accessing their ticket with the key will be presented with a login form and will not be able to access the ticket without being authenticated by WP. This may change to an alternative validation method in the future.
That update will be released later today.
Longer term we will have additional options for sensitive data. I do not think we will get to a point whereby you can define that a single agent only has access to a ticket, but we will have options to only allow agents to access tickets from specific companies only. i.e. Company X’s tickets can only be managed by Agent Group Y.
We are also reviewing options to remove/mask sensitive data within tickets and make it only available within the admin screen. Any solution for this however would likely be released via an extension rather than be included in core.
Does that answer and address your question?
Also, when you state that the URL is discoverable I would love for you to share more on this. If you could email me details it would be appreciated. You can use this form rather than post on here.
Thanks for trying out KB Support
