Token access section in admin profile is blank

Infos:

  • Used Zammad version: 6.2.0-1706884711.0ecb2b87.bookworm
  • Used Zammad installation type: (source, package, docker-compose, …) Package via Apt
  • Operating system: Debian 12 Bookworm
  • Browser + version: any

Expected behavior:

Token access section in the user profile is ok
*

Actual behavior:

Token access section in the user profile is BLANK
*

Steps to reproduce the behavior:

Just login and go to the profile
*

I didn’t note this earlier because I have not opened this page for a while, but I am sure it was previously working as I created a few tokens for the API.

Now the page is blank, and in the browser Javascript console I see this error:

application-6f6d2944dc5178c0df0e1d9d462d392aa6d39b857f54ea2d862021ba27d674e8.js:96 Uncaught TypeError: r.preferences.permission.join is not a function
    at Object.<anonymous> (application-6f6d2944dc5178c0df0e1d9d462d392aa6d39b857f54ea2d862021ba27d674e8.js:96:20188)
    at Object.<anonymous> (application-6f6d2944dc5178c0df0e1d9d462d392aa6d39b857f54ea2d862021ba27d674e8.js:96:20720)
    at JST.app/views/profile/token_access (application-6f6d2944dc5178c0df0e1d9d462d392aa6d39b857f54ea2d862021ba27d674e8.js:96:20732)
    at application-6f6d2944dc5178c0df0e1d9d462d392aa6d39b857f54ea2d862021ba27d674e8.js:31:2648
    at s.render (application-6f6d2944dc5178c0df0e1d9d462d392aa6d39b857f54ea2d862021ba27d674e8.js:49:14049)
    at s.render (application-6f6d2944dc5178c0df0e1d9d462d392aa6d39b857f54ea2d862021ba27d674e8.js:49:12922)
    at ajax.success (application-6f6d2944dc5178c0df0e1d9d462d392aa6d39b857f54ea2d862021ba27d674e8.js:49:13950)
    at u (application-6f6d2944dc5178c0df0e1d9d462d392aa6d39b857f54ea2d862021ba27d674e8.js:2:11461)
    at Object.fireWith [as resolveWith] (application-6f6d2944dc5178c0df0e1d9d462d392aa6d39b857f54ea2d862021ba27d674e8.js:2:12214)
    at i (application-6f6d2944dc5178c0df0e1d9d462d392aa6d39b857f54ea2d862021ba27d674e8.js:3:15929)

The reported error is:
r.preferences.permission.join is not a function
(In ‘r.preferences.permission.join(", ")’, ‘r.preferences.permission.join’ is undefined)

Pls see screenshot below (private data redacted), thanks.

It’s sounds like you found some way to create broken tokens:

Maybe you can check your tokens and see if the database data looks similar to my test system:

root> zammad run rails r "pp User.find_by(email: 'agent1@example.com').id"
root> zammad run rails r "pp Token.where(user_id: 4)"

(of course replace the email with the broken user email address and the ID with the output of the first command)

Steps to reproduce the behaviour would be very interesting.

You can also share your results here, but please replace the tokens before.

I have two user with tokens created, both with administrative privileges. Here are the tokens (some fields redacted for privacy):

zammad run rails r "pp Token.where(user_id: 3)"
[#<Token:0x00007fc...
  id: 26,
  user_id: 3,
  persistent: true,
  token: "[REDACTED]",
  action: "api",
  name: "[REDACTED]",
  preferences: {"permission"=>"ticket.agent"},
  last_used_at: Sat, 03 Feb 2024 20:58:08.584000000 UTC +00:00,
  expires_at: Tue, 31 Dec 2024,
  created_at: Sat, 03 Feb 2024 18:58:15.197000000 UTC +00:00,
  updated_at: Sat, 03 Feb 2024 20:58:08.584000000 UTC +00:00>,
 #<Token:0x00007fc5099d94c0
  id: 20,
  user_id: 3,
  persistent: true,
  token: "[REDACTED]",
  action: "api",
  name: "[REDACTED]",
  preferences: {"permission"=>["admin.user", "ticket.agent", "ticket.customer"]},
  last_used_at: Tue, 06 Feb 2024 09:55:40.420000000 UTC +00:00,
  expires_at: Tue, 31 Dec 2030,
  created_at: Sun, 10 Jul 2022 10:56:01.482000000 UTC +00:00,
  updated_at: Tue, 06 Feb 2024 09:55:40.420000000 UTC +00:00>,
 #<Token:0x00007fc...
  id: 25,
  user_id: 3,
  persistent: true,
  token: "[REDACTED]",
  action: "api",
  name: "Postman",
  preferences: {"permission"=>["admin", "user_preferences"]},
  last_used_at: Sat, 03 Feb 2024 18:58:15.156000000 UTC +00:00,
  expires_at: Sun, 04 Feb 2024,
  created_at: Sat, 03 Feb 2024 18:55:07.352000000 UTC +00:00,
  updated_at: Sat, 03 Feb 2024 18:58:15.156000000 UTC +00:00>]


zammad run rails r "pp Token.where(user_id: 4)"
[#<Token:0x00007fb...
  id: 19,
  user_id: 4,
  persistent: true,
  token: "[REDACTED]",
  action: "api",
  name: "[REDACTED]",
  preferences: {"permission"=>"ticket.agent"},
  last_used_at: Fri, 08 Jul 2022 22:45:55.994000000 UTC +00:00,
  expires_at: Sun, 31 Jul 2022,
  created_at: Fri, 08 Jul 2022 21:35:08.223000000 UTC +00:00,
  updated_at: Fri, 08 Jul 2022 22:45:55.995000000 UTC +00:00>,
 #<Token:0x00007fb21d18ffc0
  id: 16,
  user_id: 4,
  persistent: true,
  token: "[REDACTED]",
  action: "api",
  name: "Test",
  preferences: {"permission"=>"[\"cti.agent\",\"ticket.agent\"]"},    <-- THIS!!!
  last_used_at: Mon, 11 Jul 2022 09:22:46.916000000 UTC +00:00,
  expires_at: Sun, 31 Jul 2022,
  created_at: Fri, 08 Jul 2022 21:01:32.958000000 UTC +00:00,
  updated_at: Mon, 11 Jul 2022 09:22:46.916000000 UTC +00:00>,
 #<Token:0x00007fb...
  id: 8,
  user_id: 4,
  persistent: true,
  token: "[REDACTED]",
  action: "api",
  name: "[REDACTED]",
  preferences: {"permission"=>["ticket.agent", "user_preferences.notifications"]},
  last_used_at: Thu, 31 Dec 2020 00:42:30.699000000 UTC +00:00,
  expires_at: Fri, 31 Dec 2021,
  created_at: Mon, 30 Nov 2020 23:39:41.667000000 UTC +00:00,
  updated_at: Thu, 31 Dec 2020 00:42:30.700000000 UTC +00:00>,
 #<Token:0x00007fb21d18fe30
  id: 17,
  user_id: 4,
  persistent: true,
  token: "[REDACTED]",
  action: "api",
  name: "[REDACTED]",
  preferences: {"permission"=>"cti.agent,ticket.agent"},
  last_used_at: nil,
  expires_at: Sat, 09 Jul 2022,
  created_at: Fri, 08 Jul 2022 21:25:28.847000000 UTC +00:00,
  updated_at: Fri, 08 Jul 2022 21:25:28.847000000 UTC +00:00>,
 #<Token:0x00007fb...
  id: 15,
  user_id: 4,
  persistent: true,
  token: "[REDACTED]",
  action: "api",
  name: "[REDACTED]",
  preferences: {"permission"=>["ticket.agent", "user_preferences.access_token"]},
  last_used_at: Sat, 03 Feb 2024 18:00:42.043000000 UTC +00:00,
  expires_at: Sun, 31 Jul 2022,
  created_at: Fri, 08 Jul 2022 20:50:19.612000000 UTC +00:00,
  updated_at: Sat, 03 Feb 2024 18:00:42.043000000 UTC +00:00>,
 #<Token:0x00007fb...
  id: 18,
  user_id: 4,
  persistent: true,
  token: "[REDACTED]",
  action: "api",
  name: "[REDACTED]",
  preferences: {"permission"=>"[cti.agent,ticket.agent]"},
  last_used_at: Fri, 08 Jul 2022 21:29:55.314000000 UTC +00:00,
  expires_at: Sun, 10 Jul 2022,
  created_at: Fri, 08 Jul 2022 21:28:49.815000000 UTC +00:00,
  updated_at: Fri, 08 Jul 2022 21:29:55.314000000 UTC +00:00>]

The only strange thing that stands out to me is this in token #16:

  preferences: {"permission"=>"[\"cti.agent\",\"ticket.agent\"]"},

Looks like those backslashes are messing up the token? There are no backslashes in the other tokens. Token #18 has also some strange quotation marks. If that’s the case, can I delete these two tokens by CLI and see if the problem is solved? Or maybe I can delete all the tokens and see what happens…

As for the steps to get there I’m afraid I cannot reproduce them, the tokens were issued in 2022 and I do not actually remember what I did :frowning:

Thanks for your help!

To delete them would be effort too, because you have to replace them all.

Maybe another idea. Login into the broken user and modify this URL for your host:

http://127.0.0.1:3000/api/v1/user_access_token

There should be a token hash with all the tokens and the permissions. Maybe you can find the broken ID there more easily?

I think ID 16 looks definitely SUS. Maybe you could try to fix it via:

root> zammad run rails c
rails> t = Token.find(16)
rails> t.preferences = {"permission"=>["cti.agent","ticket.agent"]}
rails> t.save!

OK, after trying those commands on ID#16 and ID#18, both the tokens look fine when printed with the same commands as yesterday:

#<Token:0x00007f07...
  id: 16,
  user_id: 4,
  persistent: true,
  token: "[REDACTED]",
  action: "api",
  name: "[REDACTED]",
  preferences: {"permission"=>["cti.agent", "ticket.agent"]},		<-- looks fixed
  last_used_at: Mon, 11 Jul 2022 09:22:46.916000000 UTC +00:00,
  expires_at: Sun, 31 Jul 2022,
  created_at: Fri, 08 Jul 2022 21:01:32.958000000 UTC +00:00,
  updated_at: Wed, 07 Feb 2024 13:39:45.528000000 UTC +00:00>,
 #<Token:0x00007f0...
  id: 18,
  user_id: 4,
  persistent: true,
  token: "[REDACTED]",
  action: "api",
  name: "[REDACTED]",
  preferences: {"permission"=>["cti.agent", "ticket.agent"]},		<-- looks fixed
  last_used_at: Fri, 08 Jul 2022 21:29:55.314000000 UTC +00:00,
  expires_at: Sun, 10 Jul 2022,
  created_at: Fri, 08 Jul 2022 21:28:49.815000000 UTC +00:00,
  updated_at: Wed, 07 Feb 2024 13:58:26.463000000 UTC +00:00>,

Unfortunately I’m still seeing the same error on the frontend and the token page is still blank for both user_id 3 and user_id 4.

As for your suggestion I have downloaded the list at the address “api/v1/user_access_token”. I do not see anything strange in the preferences of the tokens.

User_id 3

  "tokens": [
    {
      "id": 20,
      "user_id": 3,
      "action": "api",
      "name": "[REDACTED]",
      "preferences": {
        "permission": [
          "admin.user",
          "ticket.agent",
          "ticket.customer"
        ]
      },
      "last_used_at": "2024-02-06T09:55:40.420Z",
      "expires_at": "2030-12-31",
      "created_at": "2022-07-10T10:56:01.482Z",
      "updated_at": "2024-02-06T09:55:40.420Z"
    },
    {
      "id": 26,
      "user_id": 3,
      "action": "api",
      "name": "[REDACTED]",
      "preferences": {
        "permission": "ticket.agent"
      },
      "last_used_at": "2024-02-03T20:58:08.584Z",
      "expires_at": "2024-12-31",
      "created_at": "2024-02-03T18:58:15.197Z",
      "updated_at": "2024-02-03T20:58:08.584Z"
    },
    {
      "id": 25,
      "user_id": 3,
      "action": "api",
      "name": "Postman",
      "preferences": {
        "permission": [
          "admin",
          "user_preferences"
        ]
      },
      "last_used_at": "2024-02-03T18:58:15.156Z",
      "expires_at": "2024-02-04",
      "created_at": "2024-02-03T18:55:07.352Z",
      "updated_at": "2024-02-03T18:58:15.156Z"
    }
  ],

User_id 4

  "tokens": [
    {
      "id": 16,
      "user_id": 4,
      "action": "api",
      "name": "[REDACTED]",
      "preferences": {
        "permission": [
          "cti.agent",
          "ticket.agent"
        ]
      },
      "last_used_at": "2022-07-11T09:22:46.916Z",
      "expires_at": "2022-07-31",
      "created_at": "2022-07-08T21:01:32.958Z",
      "updated_at": "2024-02-07T13:39:45.528Z"
    },
    {
      "id": 15,
      "user_id": 4,
      "action": "api",
      "name": "[REDACTED]",
      "preferences": {
        "permission": [
          "ticket.agent",
          "user_preferences.access_token"
        ]
      },
      "last_used_at": "2024-02-03T18:00:42.043Z",
      "expires_at": "2022-07-31",
      "created_at": "2022-07-08T20:50:19.612Z",
      "updated_at": "2024-02-03T18:00:42.043Z"
    },
    {
      "id": 19,
      "user_id": 4,
      "action": "api",
      "name": "[REDACTED]",
      "preferences": {
        "permission": "ticket.agent"
      },
      "last_used_at": "2022-07-08T22:45:55.994Z",
      "expires_at": "2022-07-31",
      "created_at": "2022-07-08T21:35:08.223Z",
      "updated_at": "2022-07-08T22:45:55.995Z"
    },
    {
      "id": 18,
      "user_id": 4,
      "action": "api",
      "name": "[REDACTED]",
      "preferences": {
        "permission": "[cti.agent,ticket.agent]"
      },
      "last_used_at": "2022-07-08T21:29:55.314Z",
      "expires_at": "2022-07-10",
      "created_at": "2022-07-08T21:28:49.815Z",
      "updated_at": "2022-07-08T21:29:55.314Z"
    },
    {
      "id": 17,
      "user_id": 4,
      "action": "api",
      "name": "[REDACTED]",
      "preferences": {
        "permission": "cti.agent,ticket.agent"		<-- looks like it's missing the square brackets
      },
      "last_used_at": null,
      "expires_at": "2022-07-09",
      "created_at": "2022-07-08T21:25:28.847Z",
      "updated_at": "2022-07-08T21:25:28.847Z"
    },
    {
      "id": 8,
      "user_id": 4,
      "action": "api",
      "name": "[REDACTED]",
      "preferences": {
        "permission": [
          "ticket.agent",
          "user_preferences.notifications"
        ]
      },
      "last_used_at": "2020-12-31T00:42:30.699Z",
      "expires_at": "2021-12-31",
      "created_at": "2020-11-30T23:39:41.667Z",
      "updated_at": "2020-12-31T00:42:30.700Z"
    }
  ],

The “tokens” array is followed by another array named “permissions” with a very long list of elements like these:

  "permissions": [
    {
      "id": 1,
      "name": "admin",
      "note": "Admin Interface",
      "preferences": {},
      "active": true,
      "created_at": "2020-09-28T17:05:15.134Z",
      "updated_at": "2020-09-28T17:05:15.134Z",
      "allow_signup": false
    },
    {
      "id": 30,
      "name": "admin.api",
      "note": "Manage %s",
      "preferences": {
        "translations": [
          "API"
        ]
      },
      "active": true,
      "created_at": "2020-09-28T17:05:15.328Z",
      "updated_at": "2020-09-28T17:05:15.328Z",
      "allow_signup": false
    },

The list is very long, I’m not sure it’s ok to post it here. If useful I can post it on some Pastebin, let me know.

UPDATE
I fixed the token ID#17 andnow it looks ok in the json:

{
  "tokens": [
    {
      "id": 17,
      "user_id": 4,
      "action": "api",
      "name": "Assistenza frigo gasatori test",
      "preferences": {
        "permission": [
          "cti.agent",
          "ticket.agent"
        ]
      },
      "last_used_at": null,
      "expires_at": "2022-07-09",
      "created_at": "2022-07-08T21:25:28.847Z",
      "updated_at": "2024-02-07T14:37:10.438Z"
    },

QUICK FIX (actually not a fix, just a way around the problem)
I’ve created a new user with admin privileges. The new user is able to access the token page in the profile.
Then I created a new token with “admin” and “ticket.agent” permissions. After logout+login the new user can still access the token page in the profile, so as a quick fix I can now reissue all the tickets by this user and use them in the webapp. I’ll let you know if this user loses the access too.

Anyway, I’d like to find out what’s the problem as this sould not be happening. Thanks for your help.

Can you try this?

root> zammad run rails c
rails> t = Token.find(19)
rails> t.preferences = {"permission"=>["ticket.agent"]}
rails> t.save!
rails> t = Token.find(18)
rails> t.preferences = {"permission"=>["cti.agent","ticket.agent"]}
rails> t.save!
rails> t = Token.find(17)
rails> t.preferences = {"permission"=>["cti.agent","ticket.agent"]}
rails> t.save!

This should fix user id 4 hopefully.

followup: and this maybe fixes user id 3:

root> zammad run rails c
rails> t = Token.find(26)
rails> t.preferences = {"permission"=>["ticket.agent"]}
rails> t.save!
1 Like

Maybe also another idea, we could search for the broken tokens:

Search for broken tokens

root> zammad run rails r 'pp Token.all.select{|t| !t.preferences["permission"].is_a?(Array) }'

Autofix

I tried to give an autofix a shot, this command will try to autofix user 3,4

root> zammad run rails c
rails> Token.where(user_id: [3,4]).select {|t| !t.preferences['permission'].is_a?(Array) }.each{|t| t.preferences['permission'] = t.preferences['permission'].gsub(/[\[\]]/, '').split(/\s*,\s*/); t.save! }

BINGO!!!

Those commands fixed both user id 3 and 4, thanks a lot! :grinning:

Do you have any idea on how I happened to mess things up? I only used UI commands to handle tokens (but I use the tokens with my webapp and with Postman to authorize API calls) so there must be some rare combination of actions that can cause this problem with tokens.

I’m not trying this, but I’ll keep it in case I have problems again with the tokens.

Thanks again, your help is highly appreciated.

I think there was some rework of the token behaviour in the last 2 years. Maybe something got fucked up. Will do some research tomorrow.

Glad it works now :slight_smile:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.