GernericInterface TicketUpdate when authenticated as customer user?

English! place to talk about development, programming and coding
Post Reply
owi
Znuny newbie
Posts: 22
Joined: 20 May 2021, 17:14
Znuny Version: 6.4.2
Real Name: Othmar Wigger
Company: terreActive AG
Location: Aarau, Switzerland
Contact:

GernericInterface TicketUpdate when authenticated as customer user?

Post by owi »

Hi

I am developing a REST webservice that can create and modify tickets. The API user is authenticated as a Customer User, because he really is a customer and I don't want him to have Agent permissions.

Creating tickets works fine, but when it comes to updates (e.g. change State), permission is denied.

From Kernel/GenericInterface/Operation/Ticket/TicketUpdate.pm I can see that it is not even trying to figure out Customer User permissions to the ticket. Instead, it sets UserID := 1 and continues with Agent User permission checking (sub _CheckUpdatePermissions).

This will fail for all tickets that are not owned by the "OTRS Admin" id=1 user, i.e. for all tickets that are assigned to a real agent.

Is there another way to use Webservices as a Customer User? Or is it a missing feature?
Johannes
Moderator
Posts: 391
Joined: 30 Jan 2008, 02:26
Znuny Version: All of them ^^
Real Name: Hannes
Company: Znuny|OTTERHUB

Re: GernericInterface TicketUpdate when authenticated as customer user?

Post by Johannes »

Hi,

sounds more like an error on the "script" side to me.

My sample is using the default GI config:
OTRS_GI.paw 2022-07-28 17-35-53.png
works perfectly fine.
EDIT:
2021012710123456 - Historie - Ticket - znuny-634 2022-07-28 17-39-59.png
/EDIT

Permissions are checked using:
https://github.com/znuny/Znuny/blob/dev ... te.pm#L428
and then:
https://github.com/znuny/Znuny/blob/dev ... n.pm#L1308

so this should be no issue at all.

Regards
You do not have the required permissions to view the files attached to this post.
owi
Znuny newbie
Posts: 22
Joined: 20 May 2021, 17:14
Znuny Version: 6.4.2
Real Name: Othmar Wigger
Company: terreActive AG
Location: Aarau, Switzerland
Contact:

Re: GernericInterface TicketUpdate when authenticated as customer user?

Post by owi »

Thank you very much for looking into this.

In the meantime I found that the permission is only denied for states that have types of "closed" or "pending".
Your example worked because you set the state to "open".

For closed and pending states, there are additional permission checks done here:

https://github.com/znuny/Znuny/blob/dev ... e.pm#L1478

The TicketPermission(UserID => CustomerPanelUserID) fails for tickets not owned by root.

There should probably be a TicketCustomerPermission() check if UserType is "customer".

The same happens when creating articles on line 1365.
Johannes
Moderator
Posts: 391
Joined: 30 Jan 2008, 02:26
Znuny Version: All of them ^^
Real Name: Hannes
Company: Znuny|OTTERHUB

Re: GernericInterface TicketUpdate when authenticated as customer user?

Post by Johannes »

And again,
this is working fine:
OTRS_GI.paw 2022-07-29 15-22-46.png
2021012710123456 - History - Ticket - znuny-634 2022-07-29 15-23-56.png
I think there is something wrong with the customer you set in your GI Request.
The basic permissions are easy:
- CustomerID / CustomerUser = Login > you can change everything which is available to you.
If customer group support is enabled, you need to take care of the correct permissions there.

If the customer id / customer user does not match your account, you will fail with an auth error.

Without an actual example for the create and update request, it's just guessing in the dark.

Regards
You do not have the required permissions to view the files attached to this post.
owi
Znuny newbie
Posts: 22
Joined: 20 May 2021, 17:14
Znuny Version: 6.4.2
Real Name: Othmar Wigger
Company: terreActive AG
Location: Aarau, Switzerland
Contact:

Re: GernericInterface TicketUpdate when authenticated as customer user?

Post by owi »

Thanks, Johannes, for trying this out. You are right, I am probably making a stupid mistake somewhere. So let me explain in detail what I am doing, maybe the mistake is obvious.

I create a webservice

Code: Select all

Provider:
  Operation:
    PutState:
      Description: Update the ticket state
      Type: Ticket::TicketUpdate
      MappingInbound:
        Type: XSLT
        Config:
          Template:       ... -> see below
  Transport:
    Config:
      RouteOperationMapping:
        PutState:
          ParserBackend: JSON
          RequestMethod:
            - PUT
          Route: /tickets/:TicketID/state            
The input mapping is:

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<xsl:transform
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    xmlns:date="http://exsalt.org/dates-and-times"
    version="1.0"
    extension-element-prefixes="date">

    <xsl:output method="xml" encoding="utf-8" indent="yes" />

    <!-- Don't return unmached tags -->
    <xsl:template match="text()" />

    <!-- Remove empty elements -->
    <xsl:template match="*[not(node())]" />

    <!-- Root template -->
    <xsl:template match="/">
        <RootElement>
            <CustomerUserLogin><xsl:value-of select="/RootElement/CustomerUserLogin"/></CustomerUserLogin>
            <Password><xsl:value-of select="/RootElement/Password"/></Password>
            <TicketID><xsl:value-of select="/RootElement/TicketID"/></TicketID>
            <Ticket>
                <State><xsl:value-of select="/RootElement/State"/></State>
            </Ticket>
        </RootElement>
    </xsl:template>
</xsl:transform>
I access the API with the following statement:

Code: Select all

#!/bin/bash
TicketID=$1
NewState=$2
OTRSuser=...
OTRSpass=...
P12cert=...
P12pass=...
curl -s -k $Headers \
  -X PUT -d '{"State":"'$NewState'"}' \
  -u "$OTRSuser:$OTRSpass" \
  --cert "$P12cert:$P12pass" --cert-type p12 \
  --tls-max 1.2 \
  "$URL/tickets/$TicketID/state?DynamicFields=1&CustomerUserLogin=$OTRSuser&Password=$OTRSpass"
This produces:

Code: Select all

Incoming data before mapping (08/02/2022 10:24:27 (Europe/Zurich), debug)

$VAR1 = {
  'CustomerUserLogin' => 'ta_othmar',
  'DynamicFields' => '1',
  'Password' => '...',
  'State' => 'Closed',
  'TicketID' => '30'
};

Incoming data after mapping (08/02/2022 10:24:27 (Europe/Zurich), debug)

$VAR1 = {
  'CustomerUserLogin' => 'ta_othmar',
  'Password' => '...',
  'Ticket' => {
    'State' => 'Closed'
  },
  'TicketID' => '30'
};

TicketUpdate.AccessDenied (08/02/2022 10:24:27 (Europe/Zurich), error)

TicketUpdate: Does not have permissions to update state!

Outgoing data before mapping (08/02/2022 10:24:27 (Europe/Zurich), debug)

$VAR1 = {
  'Error' => {
    'ErrorCode' => 'TicketUpdate.AccessDenied',
    'ErrorMessage' => 'TicketUpdate: Does not have permissions to update state!'
  }
};

Outgoing data after mapping (08/02/2022 10:24:27 (Europe/Zurich), debug)

No data provided

Returning provider data to remote system (HTTP Code: 200) (08/02/2022 10:24:27 (Europe/Zurich), debug)

{}
owi
Znuny newbie
Posts: 22
Joined: 20 May 2021, 17:14
Znuny Version: 6.4.2
Real Name: Othmar Wigger
Company: terreActive AG
Location: Aarau, Switzerland
Contact:

Re: GernericInterface TicketUpdate when authenticated as customer user?

Post by owi »

Johannes wrote: 29 Jul 2022, 15:25 If customer group support is enabled, you need to take care of the correct permissions there.
The problem is independent of the setting of CustomerGroupSupport.

Permission is denied not by missing customer user permissions, but by mismatching agent owner.
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: GernericInterface TicketUpdate when authenticated as customer user?

Post by root »

Hi,

One small question: do you use the TicketNumber or TicketID in the URL when you call the web service?

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
owi
Znuny newbie
Posts: 22
Joined: 20 May 2021, 17:14
Znuny Version: 6.4.2
Real Name: Othmar Wigger
Company: terreActive AG
Location: Aarau, Switzerland
Contact:

Re: GernericInterface TicketUpdate when authenticated as customer user?

Post by owi »

root wrote: 02 Aug 2022, 11:55 One small question: do you use the TicketNumber or TicketID in the URL when you call the web service?
- Roy
I use the numerical TicketID, i.e. the DB field otrs.ticket.id.
We are not interested in the ticket number varchar otrs.ticket.tn.

Othmar
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: GernericInterface TicketUpdate when authenticated as customer user?

Post by root »

owi wrote: 02 Aug 2022, 13:47
I use the numerical TicketID, i.e. the DB field otrs.ticket.id.
We are not interested in the ticket number varchar otrs.ticket.tn.

Ok, just asking because this is an often made mistake and would explain the permission denied.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
owi
Znuny newbie
Posts: 22
Joined: 20 May 2021, 17:14
Znuny Version: 6.4.2
Real Name: Othmar Wigger
Company: terreActive AG
Location: Aarau, Switzerland
Contact:

Re: GernericInterface TicketUpdate when authenticated as customer user?

Post by owi »

Johannes wrote: 29 Jul 2022, 15:25 And again,
this is working fine:
By the way, did you make sure that the ticket Owner is *not* UserID=1?
owi
Znuny newbie
Posts: 22
Joined: 20 May 2021, 17:14
Znuny Version: 6.4.2
Real Name: Othmar Wigger
Company: terreActive AG
Location: Aarau, Switzerland
Contact:

Re: GernericInterface TicketUpdate when authenticated as customer user?

Post by owi »

After some debugging, I found a solution, but I don't understand it.

Kernel::System::Ticket::TicketPermission() runs four ticket permission modules:

Kernel::System::Ticket::Permission::OwnerCheck
Kernel::System::Ticket::Permission::ResponsibleCheck
Kernel::System::Ticket::Permission::GroupCheck
Kernel::System::Ticket::Permission::WatcherCheck

All of them return AccessOk denied.

- Owner check fails because root user is not ticket owner.
- Responsible and Watcher checks fail because the ticket does not have them.
- Group check fails because the root admin user has only the groups: users, admin, stats, watcher. But the ticket we want to update is in a queue assigned to an operational group.

I add the root user to my queue group.
This works! I can now update the state to closed an pending states.

This solves my immediate API permission problem. But I am puzzled. Do I have to add the root user to all newly created queue groups? OK, I might create some role for that. But I am still puzzled.

One might expect that the root Admin user is member of all groups by default.
But it isn't.

Am I missing some configuration setting or such?
Johannes
Moderator
Posts: 391
Joined: 30 Jan 2008, 02:26
Znuny Version: All of them ^^
Real Name: Hannes
Company: Znuny|OTTERHUB

Re: GernericInterface TicketUpdate when authenticated as customer user?

Post by Johannes »

Hi,
owi wrote: 02 Aug 2022, 15:03
Johannes wrote: 29 Jul 2022, 15:25 And again,
this is working fine:
By the way, did you make sure that the ticket Owner is *not* UserID=1?
Yes, you can see it in my screenshot. I use "customer-1"

But I can reproduce it if I take the permissions of the user with id=1.
I think you hit a limitation/missing implementation for the API here.

For your use-case it would be necessary to create a permission module, which checks if the customer = create user.
The reason for this is one module is used for agent and customers and this case is not fully implementend.

The frontend code (module: customerzoom.pm, subaction store) handles tickets updates from customers in a different way, because it is just used by the customer.

Regards
owi
Znuny newbie
Posts: 22
Joined: 20 May 2021, 17:14
Znuny Version: 6.4.2
Real Name: Othmar Wigger
Company: terreActive AG
Location: Aarau, Switzerland
Contact:

Re: GernericInterface TicketUpdate when authenticated as customer user?

Post by owi »

Hi

Thank you very much for digging into this.
Johannes wrote: 07 Aug 2022, 15:09
owi wrote: 02 Aug 2022, 15:03 By the way, did you make sure that the ticket Owner is *not* UserID=1?
Yes, you can see it in my screenshot. I use "customer-1"
The ticket owner is an agent, not a customer user. I can not see the ticket owner in your screenshots, therefore I asked. Ticket owner "Admin OTRS <root@localhost>" (UserID=1) always succeeds by virtue of Ticket::Permission::OwnerCheck (as long as Sysconfig CustomerPanelUserID==1).
But I can reproduce it if I take the permissions of the user with id=1.
I think you hit a limitation/missing implementation for the API here.

For your use-case it would be necessary to create a permission module, which checks if the customer = create user.
The reason for this is one module is used for agent and customers and this case is not fully implemented.

The frontend code (module: customerzoom.pm, subaction store) handles tickets updates from customers in a different way, because it is just used by the customer.
I came to the same conclusions. Agreed.

The new permission module(s) would have to check: ticket's customer user equals API customer user OR they share the same company.

Shall we create a feature request in the issue tracker? I can do the implementation sometime later. For the moment I can survive with the GroupCheck workaround.

Othmar
Post Reply