What are the action filter and possible action for customer in ACL

[OTRSRDNewbie]

I'm new to OTRS. So please excuse me, I am still just learning everything.

What are the ACL actions available for customer frontend? My predecessor made these ACL. Never met him. But the issue seems to be only happening in the production server not in the pre-prod.

According to the reporter after creating a new ticket with an attachment and press send. It will display an error the type is missing and then the title also becomes erased. I assumed that it was filled before.

We're using OTRS 3.3.2 running in Red Hat Enterprise Linux Server release 6.3, the browser I tested it in customer front end is in pre-prod and I can't replicate (I am not allowed by my boss to touch the production).

I'm using Windows 7 to test the customer front end, tried replicating the issue in preprod using Internet Explorer 8, Chrome 51, Firefox 47, and Opera 38. I just can't replicate the issue in the pre-prod. I am trying to understand if the ACL could have an effect cause I am seeing a different problem than the one the reporter is mentioning, after attaching thats when the other input fields show up like severity thats what I'm seeing in I.E., Chrome, Firefox and Opera.

I am having trouble reverse engineering since I can't touch the production server. But I think my predecessor only put the changes in the production cause the skin of the customer ticket also changed according to the reporter.

And the way he made the customization - he did not put it in the customs folder. It usually is direct to the original codes so I can't do a quick look on any customs folder to check. It will be searching for any changes in the original .dtl, .pm .. files. And I can't find anything in the pre-prod that look like this. Except the ACL has something like that maybe it. Because according to the reporter I only need to put HR in the comment of the customer

Please help me clarify somethings what are the Actions available for customer ticket in ACL for Front end. What otrs customer form is customerticketmessage? Is this a custom form? Cause I can't find something like it the preprod html/output. But I am not really familiar with ACL so I might have missed it.

[RStraub]

Hey there, no need to excuse yourself for beeing new, everyone started somewhere.

So, the current Action can always (well, most of the time) be seen in the URL. The action "CustomerTicketMessage" corresponds to the screen a customer sees when opening a new ticket:

TicketActin.png

What your ACL does (from what I see) is:
- Filter all customers that create a new ticket, have a comment "SD or HR" and select "UserProvisioning" in a dynamic field
- Forbid all values in the dynamic field "subCat" but those that are listed (IDCreation, IDModify...)

There is nothing that forbids the selection about the ticket type, but there are alot of reasons for this:
- It could be deactivated in the SysConfig
- It could be tampered with in another ACL
- It could be altered via customizations on the files or javascript

What you could do, to find the root cause is:
1) run a diff aganist the files to check if there are customizations. The original files can be found on github (just make sure you select the correct version), e.g. here:
https://github.com/OTRS/otrs/blob/maste ... Message.pm
https://github.com/OTRS/otrs/blob/maste ... Message.tt

2) Open the ZZZ files (or grep through them) in ~otrs/Kernel/Config/Files/ (especially ZZZACL.pm) and look for other ACLs that filter on the action "CustomerTicketMessage"

3) Impersonate a customer (Admin -> CustomerUser -> Switch to Customer) and try creating a ticket while tailing the apache error.log and the otrs log

If you are not allowed to touch the production, you are not the right person to debug this problem - sorry. Even your boss should realize that you can't debug something if you can't access it.

I hope this helps you, good luck!

[OTRSRDNewbie]

Right now I'm just trying to reverse engineer the code. Trying to see if I can find the bug or find a way to replicate the issue by studying the code. Maybe the reporter did not know and left out an important replication step.

Just a clarification ACL without Frontend filter conditions will apply to all irregardless whether its in customer or agent forms right? And ACL will continually run not just once on a ticket. Let's say if the only condition is State => 'Resolved' and Queue => 'some queue' and the possible resolver group is based on a queue. If its in a customer form and ticket resolve and someone continually changes the Queue the value of the resolver group will continually change right?

I'm trying to understand right now the pre-prod, it has ACL in the config.pm, and CustomerTicketMessage.pm itself has TicketACL(), so it will enforce into the ticket all ACL. Since I am creating a new ticket does that mean the ticket already has a database entry or the ticket still does not exists?

I am seeing acl that are in ZZZACL.pm and in the database acl table but not in the admin tool ACL editor. I think I have seen acls that are in ZZZACL.pm and not in the acl table. And those acl are valid, atleast valid is 1.

How does ACL execute, which takes precedence? Which is actually being run? ACLs in config.pm? ACLs in the admin tool ACL editor? ACL in the ZZZACL.pm? Or in the acls in the acl table?

Cause while trying to replicating the issue I've been noticing fields that just start showing up then starts disappering in the form in pre-prod. If I understand it correctly there shouldn't be any ACL in config.pm right if we have upgraded from otrs 3.2 to otrs 3.3 because to upgrade properly to a higher version, all ACL in config.pm should be in the ZZZACL.pm? And shouldn't it be that all the ACLs are the same in ZZZACL.pm, acl table, and admin tool ACL editor?

I haven't even checked javascript if there are field reassignments there.

[RStraub]

Phew, quiet a bunch of questions. I haven't been around OTRS when ACLs were written in die Config.pm, so I don't know how they react.
From the newer versions, ACLs should be only in the Webfrontend, which are then converted into the ZZZACL.pm

They are executed alphabetically (thus we precede them with 3 integers for the periority).

If you are trying to debug errors based on ACL, keep in mind that working with the root user (root@localhost, UserID = 1, created on installation) ignores all ACLs.

EDIT: oh and yes, if there is no frontend filter, it should match for every action.

When you create a ticket, there is nothing in the database yet, that's why ACLs differentiate between "Properties" (=Current Input) and "Properties Database" (= allready saved data).

[OTRSRDNewbie]

I have seen the CustomerTicketMessage.pm call and execute TicketACL(), from cyntias answer it supposed to enforce ACL on a ticket? When TicketACL() is called does that mean that there is already a existing ticket object ?

When the ACL is run or when CustomerTicketMessage is open (New Ticket) is there already a ticket?

The ACL below will limit the Queue to Service Desk right only if its a Customer form and that the ticket already exists but not necessarily in the database am I right? If there is no frontend filter, the ACL will limit the Queue to Service Desk on tickets that already exists in memory?

I am seeing this on the acl in the acl table - "STOP_AFTER_MATCH" what does this mean? If the ACL already run on the CustomerTicketMessage it will not run again on the same new ticket form?

Let's say I change the Type from 'Service Request' to 'Incidents'. Does that mean that I can't get any other choice in the Queue still except 'Service Desk'?

What if there is another ACL that does the same except it looks for Type as 'Incidents' and limit the Queue to 'Admin' and both of those acl has STOP_AFTER_MATCH set to 1. If I first set Type to 'Service Request' then change it to 'Incidents' and change it back to 'Service Request' again. Is the Queue going to change from 'Service Desk' to 'Admin' to 'Service Desk'? Or it be 'Admin' because the STOP_ON_MATCH executes ACL only once. Sorry to ask this, I only found this in the acl table and has a value of 1 in valid. Not sure if this will run or enforces anything cause I believe I have not yet seen the queue to change value while attempting to replicate the issue.

But I am in the new ticket in customer "web site/page?". The reporter says if the customer has 'HR' in the comment and fills out the new ticket form, attaches a file then press submit. An error will occurs saying that the Type is empty and the title which originally has a value becomes empty. I tried with and without Type doesn't erase the title. I just notice the title is formed by combining all the fields selected/entered by user.

Code: Select all

$Self->{TicketAcl}->{"Queue Change for SR - Customer Portal"} = {
  'Possible' => {
    'Ticket' => {
      'Queue' => [
        'Service Desk'
      ]
    }
  },
  'PossibleNot' => {},
  'Properties' => {
    'Frontend' => {
      'Action' => [
        'CustomerTicketMessage'
      ]
    },
    'Ticket' => {
      'Type' => [
        'Service Request'
      ]
    }
  },
  'PropertiesDatabase' => {},
  'StopAfterMatch' => 0
};