Not authorized when creating a ticket within a group via JSON API

Development
1

I’ve a user that is trying to create a new ticket using the API endpoint /api/v1/tickets (POST):

% curl --header "Content-Type: application/json" \
     --header "Authorization: Token token=xxxxx" \
  --request POST \
--data '{"article":{"body":"Perl","internal":0,"subject":"asdasdasdasd","type":"note"},"customer":"perl@test.it","group_id":7,"title":"asdasdasdasd"}' http://localhost:8080/api/v1/tickets

{"error":"Not authorized","error_human":"Not authorized"}

where the user belongs to the group with id 7 (which is active) and has the agent role.
What permission am I missing?

2

I have changed the configuration, in order to try.
My user is id=7, and the group he belongs to is id=3:

% curl --header "Content-Type: application/json" \
     --header "Authorization: Token token=xyz" \
  --request GET \
 http://localhost:8080/api/v1/groups/3
{"id":3,"signature_id":null,"email_address_id":null,"name":"ATENEO","name_last":"ATENEO","parent_id":null,"assignment_timeout":null,"follow_up_possible":"yes","reopen_time_in_days":null,"follow_up_assignment":true,"active":true,"shared_drafts":true,"note":"Gruppo di ateneo\u003cbr\u003e","updated_by_id":3,"created_by_id":3,"created_at":"2024-06-06T13:22:23.714Z","updated_at":"2024-06-06T14:50:11.870Z","user_ids":[7]}


% curl --header "Content-Type: application/json" \
     --header "Authorization: Token token=xyz" \
  --request GET \ 
 http://localhost:8080/api/v1/users/7
{"id":7,"organization_id":null,"login":"perl@perl.me","firstname":"Applicazione","lastname":"","email":"perl@perl.me","image":null,"image_source":null,"web":"","phone":"","fax":"","mobile":"","department":"","street":"","zip":"","city":"","country":"","address":"","vip":false,"verified":false,"active":true,"note":"","last_login":null,"source":null,"login_failed":0,"out_of_office":false,"out_of_office_start_at":null,"out_of_office_end_at":null,"out_of_office_replacement_id":null,"preferences":{"notification_config":{"matrix":{"create":{"criteria":{"owned_by_me":true,"owned_by_nobody":true,"subscribed":true,"no":false},"channel":{"email":true,"online":true}},"update":{"criteria":{"owned_by_me":true,"owned_by_nobody":true,"subscribed":true,"no":false},"channel":{"email":true,"online":true}},"reminder_reached":{"criteria":{"owned_by_me":true,"owned_by_nobody":false,"subscribed":false,"no":false},"channel":{"email":true,"online":true}},"escalation":{"criteria":{"owned_by_me":true,"owned_by_nobody":false,"subscribed":false,"no":false},"channel":{"email":true,"online":true}}}},"locale":"en-us","tickets_closed":0,"tickets_open":71},"updated_by_id":3,"created_by_id":3,"created_at":"2024-03-18T15:32:43.465Z","updated_at":"2024-06-06T14:49:16.239Z","role_ids":[4],"two_factor_preference_ids":[],"organization_ids":[],"authorization_ids":[],"overview_sorting_ids":[],"group_ids":{"3":["full"]}

Note that the user has full control over group 3.

However:

% curl --header "Content-Type: application/json" \
     --header "Authorization: Token token=xyz" \
  --request POST \
--data '{"article":{"body":"CIAO CIAO","internal":0,"subject":"PRIMO TEST categoria","type":"note"}, "group_id":3,  "customer":"perl@perl.me","title":"PRIMO TEST categoria"}' http://localhost:8080/api/v1/tickets

{"error":"Not authorized","error_human":"Not authorized"}

Is there a way to get a better error message?
What should I look for?

3

Hi @fluca1978. Is your token correct, meaning that ticket.agent was selected?

4

@fliebe92 I think the tocken is correct, since it is the same I used before, and it has been generated as follows:

curl --header "Content-Type: application/json" \
  --request POST \
  --data '{ "name": "perl@perl.me", "permission": ["cti.agent","ticket.agent", "admin.group"], "expires_at": "2024-12-21" }' \
  -u luca.ferrari3@me.it:XXXXXX http://localhost:8080/api/v1/user_access_token

is there a way to get better error message or detail, and/or to check the status of the given tocken (via API)?

5

GET /api/v1/user_access_token is available to get a list of all your token for the current user.

Does ticket.agent role has correct permissions for the used group?

6

Uhm, while I’m able to inspect the user with the very same token via api/v1/users/<id>, I’m not able to see the access token:

% curl --header "Content-Type: application/json" \
     --header "Authorization: Token token=abcdef" \
  --request GET \
 http://localhost:8080/api/v1/user_access_token 
{"error":"Not authorized (token)!","error_human":"Not authorized (token)!"}

Am I invoking this badly or does it reveals the problem?

7

Your token is missing the permission to manage your tokens. This is why … I guess you should stop with whatever you’re doing and need to study the documentation a bit :slight_smile: and my last question is not answered as well, so you’re mixing up a lot of topics here.

8

@fliebe92 I will study the documentation more, but I guess your question was answered in my original post: the user 7 has full permissions on group 3:

`"group_ids":{"3":["full"]}`

or am I misreading the output?
Now, the user 3 token has been created with the following:

curl --header "Content-Type: application/json" \
  --request POST \
  --data '{ "name": "perl@perl.it", "permission": ["cti.agent","ticket.agent", "admin.group"], "expires_at": "2024-12-21" }' \
  -u luca.ferrarime.you:XYZ http://localhost:8080/api/v1/user_access_token

I have not set the permission to manage the tokens, because it was not supposed to be required, I can generate a new one with additional permissions, but having a better overview of what I’m missing (from the error message) could help understanding why the same agent was working days ago and now it is no more working.

9

Hi @fluca1978. Based on your output, the user you’re using has "role_ids":[4]. Do you have access to the Rails Console and could look up the output of Role.find(4)?

10

BTW: Did you try to use the Zammad GUI to create a ticket? If not, could you please do so?