Access Forbidden Error on Mobile View for "Tickets from my Organization" in Zammad 6.1.x

Technical assistance
1

Infos:

  • Used Zammad version: 6.1.x
  • Used Zammad installation type: (source, package, docker-compose, …)
  • Operating system: (operating system on which you run Zammad)
  • Browser + version: (browser and version used when experiencing the issue)

Expected behavior:

  • Clients should be able to access and view the “Tickets from my organization” section without any issues in both desktop and mobile views.

Actual behavior:

  • When accessing the “Tickets from my organization” section via a mobile view, an error is encountered in the network request to the GraphQL endpoint. The error does not occur in the desktop view for the same user and section.

The error received in the mobile view is as follows:

[
{
"data": null,
"errors": [
{
"message": "Access forbidden by Gql::Types::GroupType",
"locations": [
{
"line": 44,
"column": 9
}
],
"path": [
"ticketsByOverview",
"edges",
1,
"node",
"group"
],
"extensions": {
"type": "Exceptions::Forbidden"
}
}
]
}
]

In contrast, the desktop view responds correctly with the expected ticket information.

Steps to reproduce the behavior:

  1. Log in as a client on the Zammad mobile view.
  2. Navigate to the “Tickets from my organization” section.
  3. Observe the error in the network request as mentioned above.
  4. Log in as the same client on the Zammad desktop view.
  5. Navigate to the “Tickets from my organization” section and observe the correct response.

Additional information:

  • The issue seems to be related to the GraphQL API’s permissions when accessed via mobile.

In APP Version:

image
image1628×576 42.1 KB

In Desktop Version:

image
image1901×484 52.5 KB

2

I’m not able to reproduce the problem.

I think we need some more information about the tickets. For example is it a shared organization and there are also tickets from other customer users from this organization?
Is it a user who has only the “customer” role or more?

3
  • The organizations in our Zammad setup are configured as “shared”, meaning multiple customer users are associated with each organization.
  • The users experiencing the issue are assigned only the “customer” role within Zammad.
  • The problem specifically occurs when these users attempt to view “Tickets from my organization” while on the mobile view. In this scenario, no tickets are displayed, and a GraphQL error is returned (as previously detailed in the bug report).
  • However, when accessing the same section from the desktop view as the same customer user, the tickets are displayed correctly without any errors.

This discrepancy between the mobile and desktop views suggests that there might be a mobile-specific issue with permissions or the GraphQL API call. The desktop view functions as expected for the same users under identical conditions.

Same user customer in app version
image

image
image970×766 31.1 KB

Same customer user in desktop

image
image1892×746 82.7 KB

4

Hi @Bzaid94. I just tested it and it works fine for me. Please share some screenshots of the customer role, the mentioned user (if needed, please redact some values), and the related organization(s).

The production.log might be interesting as well when trying to open such a ticket in the mobile view.