An issue we ran into recently is that the search API calls default to sending back all tickets if given a blank or invalid filter set. This could lead to inter-customer data leakage if there are any bugs in the tools using the API. A safer option would be to return nothing in these cases. Is there any way to get this behavior?
We’ll take a look at that and see if an API change is needed. For now you could check the results returned to see if the customer ID of specific results matched what you’re looking for.
For max safety though if you’re showing this to customers you probably want to be searching by customer ID and/or email.
We are doing something a little more complex than single-field searches unfortunately. Specifically we are using custom fields to define group ticket ownership. The particular issue was that two custom fields changed order so we were passing in a string as the filter for a numeric custom field, which returns all tickets.
Hmm, well you can still do the safety check to be sure what’s returned matches. I’ve logged this as a bug for more research.