Support

Akeeba Ticket System

#42924 Mail gateway: allow invited users (per #__ats_tickets_users) to reply by email — patch attached

Posted in ‘Akeeba Ticket System for Joomla!’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
5.4.5
PHP version
8.4.20
Akeeba Ticket System version
5.5.0

Latest post by nicholas on Tuesday, 05 May 2026 10:48 CDT

Tuesday, 05 May 2026 09:46 CDT

genr8r

Hi Nicholas,

Filing this as a small inconsistency in the mail gateway with a patch attached if it is helpful.

The inconsistency

In the web UI, ATS lets staff invite additional users to a ticket (via the existing #__ats_tickets_users table), and Permissions::isInvited() is the public helper that checks for it. Invited users can read the ticket and reply via the portal.

The mail gateway, however, only honors $ticket->created_by when deciding whether a reply email is valid. An invited user replying via email gets the mailgateway_noaccess "Inadequate permissions" response, even though they could reply on the same ticket via the portal a moment later.

This is conceptually similar to how the existing AddonEmails feature lets one user reply from multiple email addresses — extending the From-address resolution to honor invited users feels like a natural symmetry.

Real-world scenario

Our agency runs a single ATS instance. Typical flow:

  1. Charlotte (a client's marketing lead) opens a ticket about a compliance question.
  2. The scope grows and Charlotte invites Kevin (their consultant) and Mike (their dev) so they can collaborate on the same ticket.
  3. Kevin replies to the latest notification email.
  4. ATS rejects with "Inadequate permissions."

Kevin can post on the portal, but for clients email is the path of least friction — and the system has already invited him into the conversation.

Proposed fix

Two changes to plugins/ats/mailfetch/src/Fetcher/EmailCheck.php (patch attached, against ATS 5.5.0):

1. passedBasicChecks() — extend the existing creator/manager gate to also accept invited users:

if (!$isNewTicket && !$isManager && ($user->id != $ticket->created_by) && !Permissions::isInvited($ticket->getId(), $user->id)) { // Reject with mailgateway_noaccess }

 

2. processEmail() reply branch — preserve the meaning of $myTicket (a client-side reply: status → O, no auto-assignment) by treating an invited user the same as the ticket creator:

$myTicket = ($user->id == $ticket->created_by) || Permissions::isInvited($ticket->getId(), $user->id);

 

 

Without the second change, an invited user's reply would flip status to P and auto-assign to themselves — which is the manager-reply behavior, not what we want.

Permissions::isInvited() is already imported in this file (the same import is used for isManager, getUser, etc.), so there are no new dependencies.

Alternative shapes

Happy to reshape if you prefer not to turn this on by default:

  • Opt-in flag in plg_ats_mailfetch params — e.g., replyfrominvited ("Allow invited users to reply by email")
  • Combine with emailadminonly so the existing manager-only switch could optionally include invitees

Either is a small follow-up.

Tested against

ATS 5.5.0 on Joomla 5.4. Applied to our production instance. Creator-replies and manager-replies behave unchanged; invited-user replies now post correctly with status O.

Best, Brian

Edited by genr8r on 2026-05-05 09:47 CDT

Tuesday, 05 May 2026 10:48 CDT

nicholas

Hi Brian!

Thank you for this detailed and well-researched report, and especially for including the patch — that made it much easier to evaluate.

You are absolutely right. The mail gateway's permission check has a gap: it only allows the ticket creator and category managers to reply by email, but ignores the #__ats_tickets_users table entirely. Since invited users can already post replies through the web interface (the web-side permission checks do honour that table), rejecting their email replies is inconsistent and surprising behaviour.

I have confirmed that Permissions::isInvited() is already imported in EmailCheck.php, so your proposed changes are correct and require no new dependencies. The two-line fix is exactly right:

  1. In passedBasicChecks(), extend the ownership gate to also pass invited users: 
    if (!$isNewTicket && !$isManager && ($user->id != $ticket->created_by)
    && !Permissions::isInvited($ticket->getId(), $user->id))
{
    // reject with mailgateway_noaccess
}
  2. In the reply branch of processEmail(), treat invited users the same as the ticket creator so their replies keep the status as O and do not trigger auto-assignment: 
    $myTicket = ($user->id == $ticket->created_by)
    || Permissions::isInvited($ticket->getId(), $user->id);

I will include this fix in the next maintenance release. Thank you again for the clear write-up and for taking the time to test it in production before filing the report.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!