Fixes #3468: Not authorized error using Im X-On-Behalf-Of.

app/controllers/application_controller/authorizes.rb

@@ -23,6 +23,12 @@ module ApplicationController::Authorizes
   end
 
   def pundit_user
-    @pundit_user ||= UserContext.new(current_user, @_token)
+    @pundit_user ||= begin
+      if current_user_on_behalf
+        UserContext.new(current_user_on_behalf)
+      else
+        UserContext.new(current_user_real, @_token)
+      end
+    end
   end
 end

lib/user_context.rb

@@ -5,7 +5,7 @@
 # to the underlying User instance in the Policy
 class UserContext < Delegator
 
-  def initialize(user, token) # rubocop:disable Lint/MissingSuper
+  def initialize(user, token = nil) # rubocop:disable Lint/MissingSuper
     @user  = user
     @token = token
   end

spec/factories/token.rb

@@ -3,6 +3,20 @@ FactoryBot.define do
     user
     action { 'api' }
     persistent { true }
+    preferences do
+
+      permission_hash = permissions.each_with_object({}) do |permission, result|
+        result[permission] = true
+      end
+
+      {
+        permission: permission_hash
+      }
+    end
+
+    transient do
+      permissions { [] }
+    end
 
     factory :token_password_reset, aliases: %i[password_reset_token] do
       action { 'PasswordReset' }

spec/requests/api_auth_on_behalf_of_spec.rb

@@ -9,7 +9,7 @@ RSpec.describe 'Api Auth On Behalf Of', type: :request do
     create(:agent)
   end
   let(:customer) do
-    create(:customer)
+    create(:customer, firstname: 'Behalf of')
   end
 
   describe 'request handling' do
@@ -180,5 +180,34 @@ RSpec.describe 'Api Auth On Behalf Of', type: :request do
       expect(json_response).to be_a_kind_of(Hash)
       expect(json_response['error']).to eq('No lookup value found for \'group\': "secret1234"')
     end
+
+    context 'when Token Admin has no ticket.* permission' do
+
+      let(:admin) { create(:user, firstname: 'Requester', roles: [admin_user_role]) }
+
+      let(:token) { create(:token, user: admin, permissions: %w[admin.user]) }
+
+      let(:admin_user_role) do
+        create(:role).tap { |role| role.permission_grant('admin.user') }
+      end
+
+      it 'creates Ticket because of behalf of user permission' do
+        params = {
+          title:       'a new ticket #3',
+          group:       'Users',
+          priority:    '2 normal',
+          state:       'new',
+          customer_id: customer.id,
+          article:     {
+            body: 'some test 123',
+          },
+        }
+        authenticated_as(admin, on_behalf_of: customer.email, token: token)
+        post '/api/v1/tickets', params: params, as: :json
+        expect(response).to have_http_status(:created)
+        expect(json_response).to be_a_kind_of(Hash)
+        expect(customer.id).to eq(json_response['created_by_id'])
+      end
+    end
   end
 end

spec/support/request.rb

@@ -76,15 +76,18 @@ module ZammadSpecSupportRequest
 
     case via
     when :api_client
-      # if we want to authenticate by token
+      # ensure that always the correct header value is set
-      if options[:token].present?
+      # otherwise previous header configurations will be re-used
-        credentials = "Token token=#{options[:token].name}"
+      add_headers('X-On-Behalf-Of' => options[:on_behalf_of])
 
-        return add_headers('Authorization' => credentials)
+      # if we want to authenticate by token
+      credentials = if options[:token].present?
+                      "Token token=#{options[:token].name}"
+                    else
+                      ActionController::HttpAuthentication::Basic.encode_credentials(login, password)
                     end
 
-      credentials = ActionController::HttpAuthentication::Basic.encode_credentials(login, password)
+      add_headers('Authorization' => credentials)
-      add_headers('Authorization' => credentials, 'X-On-Behalf-Of' => options[:on_behalf_of])
     when :browser
       post '/api/v1/signin', params: { username: login, password: password, fingerprint: Faker::Number.number(9) }
     end