GernericInterface TicketUpdate when authenticated as customer user?
-
- Znuny newbie
- Posts: 22
- Joined: 20 May 2021, 17:14
- Znuny Version: 6.4.2
- Real Name: Othmar Wigger
- Company: terreActive AG
- Location: Aarau, Switzerland
- Contact:
GernericInterface TicketUpdate when authenticated as customer user?
Hi
I am developing a REST webservice that can create and modify tickets. The API user is authenticated as a Customer User, because he really is a customer and I don't want him to have Agent permissions.
Creating tickets works fine, but when it comes to updates (e.g. change State), permission is denied.
From Kernel/GenericInterface/Operation/Ticket/TicketUpdate.pm I can see that it is not even trying to figure out Customer User permissions to the ticket. Instead, it sets UserID := 1 and continues with Agent User permission checking (sub _CheckUpdatePermissions).
This will fail for all tickets that are not owned by the "OTRS Admin" id=1 user, i.e. for all tickets that are assigned to a real agent.
Is there another way to use Webservices as a Customer User? Or is it a missing feature?
I am developing a REST webservice that can create and modify tickets. The API user is authenticated as a Customer User, because he really is a customer and I don't want him to have Agent permissions.
Creating tickets works fine, but when it comes to updates (e.g. change State), permission is denied.
From Kernel/GenericInterface/Operation/Ticket/TicketUpdate.pm I can see that it is not even trying to figure out Customer User permissions to the ticket. Instead, it sets UserID := 1 and continues with Agent User permission checking (sub _CheckUpdatePermissions).
This will fail for all tickets that are not owned by the "OTRS Admin" id=1 user, i.e. for all tickets that are assigned to a real agent.
Is there another way to use Webservices as a Customer User? Or is it a missing feature?
-
- Moderator
- Posts: 393
- Joined: 30 Jan 2008, 02:26
- Znuny Version: All of them ^^
- Real Name: Hannes
- Company: Znuny|OTTERHUB
Re: GernericInterface TicketUpdate when authenticated as customer user?
Hi,
sounds more like an error on the "script" side to me.
My sample is using the default GI config: works perfectly fine.
EDIT: /EDIT
Permissions are checked using:
https://github.com/znuny/Znuny/blob/dev ... te.pm#L428
and then:
https://github.com/znuny/Znuny/blob/dev ... n.pm#L1308
so this should be no issue at all.
Regards
sounds more like an error on the "script" side to me.
My sample is using the default GI config: works perfectly fine.
EDIT: /EDIT
Permissions are checked using:
https://github.com/znuny/Znuny/blob/dev ... te.pm#L428
and then:
https://github.com/znuny/Znuny/blob/dev ... n.pm#L1308
so this should be no issue at all.
Regards
You do not have the required permissions to view the files attached to this post.
-
- Znuny newbie
- Posts: 22
- Joined: 20 May 2021, 17:14
- Znuny Version: 6.4.2
- Real Name: Othmar Wigger
- Company: terreActive AG
- Location: Aarau, Switzerland
- Contact:
Re: GernericInterface TicketUpdate when authenticated as customer user?
Thank you very much for looking into this.
In the meantime I found that the permission is only denied for states that have types of "closed" or "pending".
Your example worked because you set the state to "open".
For closed and pending states, there are additional permission checks done here:
https://github.com/znuny/Znuny/blob/dev ... e.pm#L1478
The TicketPermission(UserID => CustomerPanelUserID) fails for tickets not owned by root.
There should probably be a TicketCustomerPermission() check if UserType is "customer".
The same happens when creating articles on line 1365.
In the meantime I found that the permission is only denied for states that have types of "closed" or "pending".
Your example worked because you set the state to "open".
For closed and pending states, there are additional permission checks done here:
https://github.com/znuny/Znuny/blob/dev ... e.pm#L1478
The TicketPermission(UserID => CustomerPanelUserID) fails for tickets not owned by root.
There should probably be a TicketCustomerPermission() check if UserType is "customer".
The same happens when creating articles on line 1365.
-
- Moderator
- Posts: 393
- Joined: 30 Jan 2008, 02:26
- Znuny Version: All of them ^^
- Real Name: Hannes
- Company: Znuny|OTTERHUB
Re: GernericInterface TicketUpdate when authenticated as customer user?
And again,
this is working fine: I think there is something wrong with the customer you set in your GI Request.
The basic permissions are easy:
- CustomerID / CustomerUser = Login > you can change everything which is available to you.
If customer group support is enabled, you need to take care of the correct permissions there.
If the customer id / customer user does not match your account, you will fail with an auth error.
Without an actual example for the create and update request, it's just guessing in the dark.
Regards
this is working fine: I think there is something wrong with the customer you set in your GI Request.
The basic permissions are easy:
- CustomerID / CustomerUser = Login > you can change everything which is available to you.
If customer group support is enabled, you need to take care of the correct permissions there.
If the customer id / customer user does not match your account, you will fail with an auth error.
Without an actual example for the create and update request, it's just guessing in the dark.
Regards
You do not have the required permissions to view the files attached to this post.
-
- Znuny newbie
- Posts: 22
- Joined: 20 May 2021, 17:14
- Znuny Version: 6.4.2
- Real Name: Othmar Wigger
- Company: terreActive AG
- Location: Aarau, Switzerland
- Contact:
Re: GernericInterface TicketUpdate when authenticated as customer user?
Thanks, Johannes, for trying this out. You are right, I am probably making a stupid mistake somewhere. So let me explain in detail what I am doing, maybe the mistake is obvious.
I create a webservice
The input mapping is:
I access the API with the following statement:
This produces:
I create a webservice
Code: Select all
Provider:
Operation:
PutState:
Description: Update the ticket state
Type: Ticket::TicketUpdate
MappingInbound:
Type: XSLT
Config:
Template: ... -> see below
Transport:
Config:
RouteOperationMapping:
PutState:
ParserBackend: JSON
RequestMethod:
- PUT
Route: /tickets/:TicketID/state
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<xsl:transform
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:date="http://exsalt.org/dates-and-times"
version="1.0"
extension-element-prefixes="date">
<xsl:output method="xml" encoding="utf-8" indent="yes" />
<!-- Don't return unmached tags -->
<xsl:template match="text()" />
<!-- Remove empty elements -->
<xsl:template match="*[not(node())]" />
<!-- Root template -->
<xsl:template match="/">
<RootElement>
<CustomerUserLogin><xsl:value-of select="/RootElement/CustomerUserLogin"/></CustomerUserLogin>
<Password><xsl:value-of select="/RootElement/Password"/></Password>
<TicketID><xsl:value-of select="/RootElement/TicketID"/></TicketID>
<Ticket>
<State><xsl:value-of select="/RootElement/State"/></State>
</Ticket>
</RootElement>
</xsl:template>
</xsl:transform>
Code: Select all
#!/bin/bash
TicketID=$1
NewState=$2
OTRSuser=...
OTRSpass=...
P12cert=...
P12pass=...
curl -s -k $Headers \
-X PUT -d '{"State":"'$NewState'"}' \
-u "$OTRSuser:$OTRSpass" \
--cert "$P12cert:$P12pass" --cert-type p12 \
--tls-max 1.2 \
"$URL/tickets/$TicketID/state?DynamicFields=1&CustomerUserLogin=$OTRSuser&Password=$OTRSpass"
Code: Select all
Incoming data before mapping (08/02/2022 10:24:27 (Europe/Zurich), debug)
$VAR1 = {
'CustomerUserLogin' => 'ta_othmar',
'DynamicFields' => '1',
'Password' => '...',
'State' => 'Closed',
'TicketID' => '30'
};
Incoming data after mapping (08/02/2022 10:24:27 (Europe/Zurich), debug)
$VAR1 = {
'CustomerUserLogin' => 'ta_othmar',
'Password' => '...',
'Ticket' => {
'State' => 'Closed'
},
'TicketID' => '30'
};
TicketUpdate.AccessDenied (08/02/2022 10:24:27 (Europe/Zurich), error)
TicketUpdate: Does not have permissions to update state!
Outgoing data before mapping (08/02/2022 10:24:27 (Europe/Zurich), debug)
$VAR1 = {
'Error' => {
'ErrorCode' => 'TicketUpdate.AccessDenied',
'ErrorMessage' => 'TicketUpdate: Does not have permissions to update state!'
}
};
Outgoing data after mapping (08/02/2022 10:24:27 (Europe/Zurich), debug)
No data provided
Returning provider data to remote system (HTTP Code: 200) (08/02/2022 10:24:27 (Europe/Zurich), debug)
{}
-
- Administrator
- Posts: 3977
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: GernericInterface TicketUpdate when authenticated as customer user?
Hi,
One small question: do you use the TicketNumber or TicketID in the URL when you call the web service?
- Roy
One small question: do you use the TicketNumber or TicketID in the URL when you call the web service?
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
-
- Administrator
- Posts: 3977
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: GernericInterface TicketUpdate when authenticated as customer user?
Ok, just asking because this is an often made mistake and would explain the permission denied.
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
-
- Znuny newbie
- Posts: 22
- Joined: 20 May 2021, 17:14
- Znuny Version: 6.4.2
- Real Name: Othmar Wigger
- Company: terreActive AG
- Location: Aarau, Switzerland
- Contact:
Re: GernericInterface TicketUpdate when authenticated as customer user?
After some debugging, I found a solution, but I don't understand it.
Kernel::System::Ticket::TicketPermission() runs four ticket permission modules:
Kernel::System::Ticket::Permission::OwnerCheck
Kernel::System::Ticket::Permission::ResponsibleCheck
Kernel::System::Ticket::Permission::GroupCheck
Kernel::System::Ticket::Permission::WatcherCheck
All of them return AccessOk denied.
- Owner check fails because root user is not ticket owner.
- Responsible and Watcher checks fail because the ticket does not have them.
- Group check fails because the root admin user has only the groups: users, admin, stats, watcher. But the ticket we want to update is in a queue assigned to an operational group.
I add the root user to my queue group.
This works! I can now update the state to closed an pending states.
This solves my immediate API permission problem. But I am puzzled. Do I have to add the root user to all newly created queue groups? OK, I might create some role for that. But I am still puzzled.
One might expect that the root Admin user is member of all groups by default.
But it isn't.
Am I missing some configuration setting or such?
Kernel::System::Ticket::TicketPermission() runs four ticket permission modules:
Kernel::System::Ticket::Permission::OwnerCheck
Kernel::System::Ticket::Permission::ResponsibleCheck
Kernel::System::Ticket::Permission::GroupCheck
Kernel::System::Ticket::Permission::WatcherCheck
All of them return AccessOk denied.
- Owner check fails because root user is not ticket owner.
- Responsible and Watcher checks fail because the ticket does not have them.
- Group check fails because the root admin user has only the groups: users, admin, stats, watcher. But the ticket we want to update is in a queue assigned to an operational group.
I add the root user to my queue group.
This works! I can now update the state to closed an pending states.
This solves my immediate API permission problem. But I am puzzled. Do I have to add the root user to all newly created queue groups? OK, I might create some role for that. But I am still puzzled.
One might expect that the root Admin user is member of all groups by default.
But it isn't.
Am I missing some configuration setting or such?
-
- Moderator
- Posts: 393
- Joined: 30 Jan 2008, 02:26
- Znuny Version: All of them ^^
- Real Name: Hannes
- Company: Znuny|OTTERHUB
Re: GernericInterface TicketUpdate when authenticated as customer user?
Hi,
But I can reproduce it if I take the permissions of the user with id=1.
I think you hit a limitation/missing implementation for the API here.
For your use-case it would be necessary to create a permission module, which checks if the customer = create user.
The reason for this is one module is used for agent and customers and this case is not fully implementend.
The frontend code (module: customerzoom.pm, subaction store) handles tickets updates from customers in a different way, because it is just used by the customer.
Regards
Yes, you can see it in my screenshot. I use "customer-1"
But I can reproduce it if I take the permissions of the user with id=1.
I think you hit a limitation/missing implementation for the API here.
For your use-case it would be necessary to create a permission module, which checks if the customer = create user.
The reason for this is one module is used for agent and customers and this case is not fully implementend.
The frontend code (module: customerzoom.pm, subaction store) handles tickets updates from customers in a different way, because it is just used by the customer.
Regards
-
- Znuny newbie
- Posts: 22
- Joined: 20 May 2021, 17:14
- Znuny Version: 6.4.2
- Real Name: Othmar Wigger
- Company: terreActive AG
- Location: Aarau, Switzerland
- Contact:
Re: GernericInterface TicketUpdate when authenticated as customer user?
Hi
Thank you very much for digging into this.
The new permission module(s) would have to check: ticket's customer user equals API customer user OR they share the same company.
Shall we create a feature request in the issue tracker? I can do the implementation sometime later. For the moment I can survive with the GroupCheck workaround.
Othmar
Thank you very much for digging into this.
The ticket owner is an agent, not a customer user. I can not see the ticket owner in your screenshots, therefore I asked. Ticket owner "Admin OTRS <root@localhost>" (UserID=1) always succeeds by virtue of Ticket::Permission::OwnerCheck (as long as Sysconfig CustomerPanelUserID==1).
I came to the same conclusions. Agreed.But I can reproduce it if I take the permissions of the user with id=1.
I think you hit a limitation/missing implementation for the API here.
For your use-case it would be necessary to create a permission module, which checks if the customer = create user.
The reason for this is one module is used for agent and customers and this case is not fully implemented.
The frontend code (module: customerzoom.pm, subaction store) handles tickets updates from customers in a different way, because it is just used by the customer.
The new permission module(s) would have to check: ticket's customer user equals API customer user OR they share the same company.
Shall we create a feature request in the issue tracker? I can do the implementation sometime later. For the moment I can survive with the GroupCheck workaround.
Othmar