rest icon indicating copy to clipboard operation
rest copied to clipboard
verified publisher icon humhub

Admin-scope token or: How to get hidden objects

Open famfop opened this issue 11 months ago • 10 comments

Hi, this is probably intended but:

As a administrator I want to run some sync scripts, but if I GET the space endpoint, I get a list of public spaces and my personal spaces. Is there a way to get all spaces, or: is there a way to create an admin-scoped token such that I may access everything?

If not, what would you suggest? I assume there are two possible work-arounds for this:

  1. Use some sort of admin bot-account
  2. Impersonate a designated space-admin for each space

What would you suggest

famfop avatar Jan 02 '25 12:01 famfop

@gevorgmansuryan Do you have an idea here?

luke- avatar Jan 04 '25 21:01 luke-

Hi, is there any update on this?

famfop avatar Jan 16 '25 13:01 famfop

@famfop you can create admin scope token at Administration -> Modules -> RESTful API -> Configure. Then enable Allow Bearer Authentication, then go to Bearer Auth tab and create token for admin user. With admin bearer token you will be able to see all spaces.

gevorgmansuryan avatar Jan 20 '25 13:01 gevorgmansuryan

Not sure if I am missing something but the steps you explain are exactly what I did. With that listing all spaces with GET /api/v1/space does list 13 spaces. which is exactly all spaces (public + my private) that I can see. Instance-wide through the admin page I do see many more.

I did find a work-around by impersonating a user that I know is member of the space in order to get info about that space but I guess some sort of parameter (to restrict to public/private spaces or without parameter list all) would be very helpful. Am I missing something?

famfop avatar Jan 20 '25 15:01 famfop

@famfop strange. Do you have an access to database?

gevorgmansuryan avatar Jan 20 '25 20:01 gevorgmansuryan

Sorry, just saw your answer. I could get it. What information do you need?

famfop avatar Jan 22 '25 09:01 famfop

@famfop sorry for late response. Problem should be fixed after Rest module v0.10.5 release by setting \humhub\modules\space\Module::$globalAdminCanAccessPrivateContent to true.

gevorgmansuryan avatar Feb 22 '25 23:02 gevorgmansuryan

Great, once published (and installed by my colleague) I'm happy to come back to comment. I will close this for now then!

famfop avatar Feb 25 '25 17:02 famfop

@famfop just set \humhub\modules\space\Module::$globalAdminCanAccessPrivateContent to true with current version of rest

gevorgmansuryan avatar Feb 26 '25 11:02 gevorgmansuryan

I just tested it and you are right, that way it is possible to GET a private space! So, thanks! :)

Still, if it's fine I would re-open it for the following reason:

The GET /space endpoint is not yet able to list the private spaces together with the public ones. An option like ?include_private=true|false would be great IMHO.

famfop avatar Feb 27 '25 16:02 famfop