Adding a record fails with permission denied

[mohamadhayek]

Package version (if known): 3.3

Describe the bug and Steps to Reproduce

I deployed Invenio following the documentation here: https://invenio.readthedocs.io/en/latest/quickstart/quickstart.html
I followed the instruction to create a record: https://invenio.readthedocs.io/en/latest/quickstart/crud-operations.html#crud-operations.

When executing the curl command to add a record:

curl -k --header "Content-Type: application/json" \
    --request POST \
    --data '{"title":"Some title", "contributors": [{"name": "Doe, John"}]}' \
    https://127.0.0.1:5000/api/records/?prettyprint=1

I got Unauthorized (401)

"message": "The server could not verify that you are authorized to access the URL requested invenio

Then I saw documentation on adding a user so I followed the steps here: https://github.com/inveniosoftware/training/tree/v3.1/02-invenio-tour
I created an admin user and got a token for that user. I then added another header to the curl command and it looked like this:

curl -k --header "Content-Type: application/json" --header "Authorization: Bearer $TOKEN\
    --request POST \
    --data '{"title":"Some title", "contributors": [{"name": "Doe, John"}]}' \
    https://127.0.0.1:5000/api/records/?prettyprint=1

I got Permission denied (403)

You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.

Expected behavior

As indicated in the documentation, I should get:

{
  "created": "2019-11-22T10:30:06.135431+00:00",
  "id": "1",
  "links": {
    "files": "https://127.0.0.1:5000/api/records/1/files",
    "self": "https://127.0.0.1:5000/api/records/1"
  },
  "metadata": {
    "contributors": [
      {
        "name": "Doe, John"
      }
    ],
    "id": "1",
    "title": "Some title"
  },
  "revision": 0,
  "updated": "2019-11-22T10:30:06.135438+00:00"
}