Issues with Authentication via API

[pvenkman]

Hello,

I am running Zoneminder v 1.29.0 (installed via zmrepo) on CentOS Linux release 7.2.1511 (Core). I am using OPT_USE_AUTH.
Right now I am trying to integrate external (as in = not via the browser) control via the API.

I have added a new user specifically for this reason and gave him "Edit" rights for "Monitors" only, since I want to limit permissions available to the external access.

After authenticating via

Code: Select all

curl -d "username=XXXXX&password=XXXXXX&action=login&view=console" -c cookies.txt  https://HOST/zm/index.php

I cannot modify the Monitors function like so:

Code: Select all

curl -XPOST https://HOST/zm/api/monitors/X.json -d "Monitor[Function]=None" -b cookies.txt

which gives me:

Code: Select all

"name": "Insufficient privileges",
        "message": "Insufficient privileges",
        "url": "\/zm\/api\/monitors\/X.json",
        "exception": {
            "class": "UnauthorizedException",
            "code": 401,
            "message": "Insufficient privileges",

However when I use the admin account to authenticate instead, it works fine.

When I login to the webinterface using that newly created account, I CAN edit the function of the monitor. So it seems to be an API specific issue.
I have also tried supplying the new accounts with all rights available thru the user interface, to no avail.

Can someone tell me how to fix this? Is additional info required?