Using API to generate reservations always returns "Access to resource has been denied".

[TheAFKGamer10]

Describe the bug

When using the API to generate a new reservation it always returns "Access to resource has been denied" and never generates the reservation.
In the API Documentation the example states that the format of

{
  "tickets": [
    {
      "ticketCategoryId": 53,
      "quantity": "1",
      "attendees": [
        {
          "firstName": "Test",
          "lastName": "McTest",
          "email": "[email protected]",
          "metadata": {
            "attributeForTicket1": "value"
          }
        }
      ]
    },
    {
      "ticketCategoryId": 56,
      "quantity": "2",
      "attendees": [
        {
          "firstName": "John",
          "lastName": "Doe",
          "email": "[email protected]",
          "metadata": {
            "attributeForTicket1": "value1"
          }
        },
        {
          "firstName": "Jane",
          "lastName": "Doe",
          "email": "[email protected]",
          "metadata": {
            "attributeForTicket2": "value2"
          }
        }
      ]
    }
  ],
  "additionalServices": [
    {
      "additionalServiceId": 1,
      "quantity": 1
    }
  ],
  "promoCode": null,
  "user": {
    "username": "[email protected]",
    "firstName": "Test",
    "lastName": "McTest",
    "email": "[email protected]",
    "id": "external-id"
  },
  "configuration": {
    "hideContactData": false
  }
}

should work to generate a new reservation, replacing the required values with proper ones, but it does not and just gives the "Access to resource has been denied" error.

The Actual Request I am Sending:

Using fetch in a node.js project, Postman, and cURL in a bat file with the headers:

"Authorization": `ApiKey ALFIO_API_KEY`,
"Cache-Control": "no-cache",
"Content-Type": "application/json"

The ALFIO_API_KEY was tried with every role. The API Client role was the only one that did not send a permission denied response, but send the "Access to resource has been denied" response. I also tried with the System API Key, but that did not work as well.
Sending the data:

{
    "tickets": [
        {
            "ticketCategoryId": 1,
            "quantity": "1",
            "attendees": [
                {
                    "firstName": "John",
                    "lastName": "Doe",
                    "email": "[email protected]",
                    "metadata": {}
                }
            ]
        }
    ],
    "additionalServices": [],
    "promoCode": null,
    "user": {
        "username": "USER'S_USERNAME",
        "firstName": "USER'S_FIRSTNAME",
        "lastName": "USER'S_LASTNAME",
        "email": "USER'S_EMAIL"
    },
    "configuration": {
        "hideContactData": false
    }
}

The USER was tested with both the Organization owner and Check-in supervisor role. I also tried using the admin account, but that also did not work and gave the same "Access to resource has been denied" response.
The request was also tried with more than one attende, but with the same result.
I also tried to make the event and categories public, being both free and paid, with dynamic and static ticket counts, and that also did not fix it.

To Reproduce

Steps to reproduce the behavior:

1. Create a new organization.
2. Create a new event from the organization you just created, or use an existing event. Take note of the slug for the event.
3. Create a new category for the event you just created. Take note of the event ID.
4. Create a new API Key with the organization you just created and a role of API Client.
5. Create a new User with the same organization as before and the role of Organization owner. Taking note of the Username, First name, Last name, and Email.
6. Create the data of an attendee for the event in the JSON format:

{
  "tickets": [
    {
      "ticketCategoryId": NEW_CATEGORY_ID,
      "quantity": "1",
      "attendees": [
        {
          "firstName": "RADNOM_FIRST_NAME",
          "lastName": "RANDOM_LAST_NAME",
          "email": "YOUR_EMAIL",
          "metadata": {}
        }
      ]
    },
  ],
  "additionalServices": [],
  "promoCode": null,
  "user": {
    "username": "NEW_USER_JUST_CREATED_USERNAME",
    "firstName": "NEW_USER_JUST_CREATED_FIRSTNAME",
    "lastName": "NEW_USER_JUST_CREATED_LASTNAME",
    "email": "NEW_USER_JUST_CREATED_EMAIL",
    "id": ""
  },
  "configuration": {
    "hideContactData": false
  }
}

7. Create a new cURL request with the format of:

curl -X POST YOU_ALFIO_INSTANCE/api/v1/admin/event/EVENT_SLUG/reservation \
-H "Authorization: ApiKey YOUR_NEW_API_KEY" \
-H "Cache-Control: no-cache" \
-H "Content-Type: application/json" \
-d "YOUR_ATTENDEE_DATA"

8. Get the "Access to resource has been denied" API response.

Expected behavior

When submitting the data, a new reservation should be created for each attendee in the tickets list to the event from the URL slug with the category in the ticketCategoryId.

Screenshots

Server:

• OS: Ubuntu Server
• Version: 22.04
• ALFIO Version: 2.0-M5
• Java Version:

openjdk version "17.0.12" 2024-07-16
OpenJDK Runtime Environment (build 17.0.12+7-Ubuntu-1ubuntu222.04)
OpenJDK 64-Bit Server VM (build 17.0.12+7-Ubuntu-1ubuntu222.04, mixed mode, sharing)

Desktop:

• OS: Windows 11
• Browser: Chrome & Postman
• Version: 128.0.6613.139

Additional context

I was originally trying to implement creating tickets into a Node.js project that would call this API, but because it is not working as expected, some of the features of our program had to be pushed back to work on this change.