Kernel::WebApp::Controller::API::Role::RequiresAgentTicketPermission – Require permission for the current ticket(s).


Just consume this role to make sure that your endpoint can only be used by agents with permission for the current ticket(s) (see further below for which permission and which tickets):

    with qw(

It works by wrapping a default implementation around Kernel::WebApp::Controller::API::Base::Authorize(), which requires ticket permission or otherwise sends a 403 Forbidden response.

You can still provide your own Authorize() method to perform additional checks in the endpoint.


this method provides the TicketIDs to be used for the permission check. The default implementation will fetch it from the :TicketID param value, or from the :TicketNumber param value with a lookup.

You can override the default implementation of this attribute to specify a different source for the TicketIDs to test – it is possible to specify multiple, and all of them must have proper permission.

    sub TicketAgentPermissionTicketIDs {
        # provide custom implementation that returns an C<ArrayRef> of C<TicketID>s.
        my $Self = shift;
        return [ $Self->stash('TicketID1'), $Self->stash('TicketID2') ];


this method provides permission that the customer user needs to have for the current ticket(s), defaults to rw. You can override the default value to change this:

    sub TicketAgentPermissionType {
        return 'ro';
Scroll to Top