dreamfactory icon indicating copy to clipboard operation
dreamfactory copied to clipboard

Published 20 hours ago verified publisher icon dreamfactorysoftware

platform.api.get('system/user/#') returns 403 despite proper role

Open erikkurtu opened this issue 6 years ago • 4 comments

From user.session.post.post_process event script: platform.api.get('system/user/'+platform.session.user.id+'?related=user_lookup_by_user_id')

Returns: "GET access to component 'user/91' of service 'system' is not allowed by this user's role."

The user is assigned to a role that has has * access to * components in the "system" service, using the script requester.

This is a Bitnami VM hosted in Azure. Version 2.12.0

erikkurtu avatar May 21 '18 18:05 erikkurtu

Hi @erikkurtu,

Does the user have the ability to use scripting as well? https://cl.ly/1L3v3E3r3A0h

Thanks,

Erik

jacotri77 avatar May 21 '18 18:05 jacotri77

Hi Erik. Thanks for the reply. Yes, the script requester is checked in the role definition.

erikkurtu avatar May 21 '18 19:05 erikkurtu

Thanks for the follow-up, I will pass this along to our engineering team to take a look. Have a great day!!

jacotri77 avatar May 21 '18 19:05 jacotri77

One other note if it helps - I'm authenticating with an Active Directory OAuth service. So the user.session.post request is like this:

"https://sub.domain.com/api/v2/user/session?oauth_callback=true&code="+code+"&state="+state+"&session_state="+session_state+""

erikkurtu avatar May 21 '18 19:05 erikkurtu