Issue with API token permissions ticket.agent

inevitable · December 25, 2023, 2:27pm

Infos:

Used Zammad version:
Used Zammad installation type: zammad-docker-compose 6.2.0-1
Operating system:
Browser + version:

Expected behavior:

Creating a ticket from API with specific permissions for /api/v1/users.

Actual behavior:

With ticket.agent & ticket.customer permissions, we’re able to create tickets(api/v1/tickets) even user/customer doesn’t exist(ticket.agent mandatory) - example: (“customer_id”: “guess:email@example.com”).
Also, you can restrict ticket.agent by Group permissions, and that’s right. The bigger problem is, if you use the same API token for /api/v1/users, you can do whatever you want with Zammad users(GET, POST, PUT…)

Steps to reproduce the behavior:

Some way to restrict created API token for /api/v1/users with ticket.agent permissions

dominikklein · December 27, 2023, 12:29pm

It’s correct that you can use the User-Endpoints with ticket.agent permission (because you are allowed to handle customer users and also see other users). But there should be currently some restrictions.
E.g. it should not be possible to edit admin users or other agent users (but you can see them).
When this is possible directly with the API, we are talking about a bug.

system · December 21, 2024, 12:29pm

This topic was automatically closed 360 days after the last reply. New replies are no longer allowed.