API Only works for Administrator and non logged in users

By: Andrew Christensen | Asked: 09/08/2023
ForumsCategory: Code HelpAPI Only works for Administrator and non logged in users
Andrew Christensen asked 1 year ago
We have a site in development and we are using javascript to call the API to fetch a few rendered html for some views. I used the API key to generate the basic auth key. When a non logged in users browses the site and clicks a particular link, we have an off canvas layer come out and the javascript fetches the information via the API to fill in the canvas with rendered html. This works perfectly. Same thing happens if the user is logged in but ONLY if the user is an Administrator. ALL other roles result in 403 errors. I can't give every user Administrator privileges. This feels like a bug to me because if I have the auth key programmed into my code, regardless of the user, it should work. Would appreciate any help you can provide.
4 Answers
Victor Font answered 1 year ago
How are you fetching the information in JavaScript with the REST API?
Andrew Christensen replied 1 year ago

Yes. Using jQuery and including the beforeSend with the basic auth. Again it works if the user is either not logged in or is an administrator. But if logged in and a different role (editor, author, contributor etc) it says it's not authorized.

Andrew Christensen replied 1 year ago

Any ideas? We are blocked from going live with this site due to this bug.

Andrew Christensen replied 1 year ago

To be clear the message we are getting is "Sorry, you are not allowed to do that."

Andrew Christensen replied 1 year ago

Oh just a bit more context. This only seems to affect either GET endpoints or possibly just the /views endpoints. I am able to run the PATCH and DELETE endpoints without error.

Andrew Christensen answered 1 year ago

This code works fine:

jQuery.ajax({
	type: 'PATCH',
	url: '/wp-json/frm/v2/entries/'+posting_id,
	dataType: 'json',
	beforeSend: function ( xhr ) {
		xhr.setRequestHeader( 'Authorization', 'Basic MyEncodedApiKey==');
	},
	success: function(response) {
		// do my thing here.
	}
});


This code causes an error (same user, same session, same role, same page):

jQuery.ajax({
	url: '/wp-json/frm/v2/views/4290',
	type: 'GET',
	dataType: 'json',
	data: {'restaurant' : restaurant},
	beforeSend: function ( xhr ) {
		xhr.setRequestHeader( 'Authorization', 'Basic MyEncodedApiKey==');
	},
	success: function(response) {
		jQuery('#objecttoinjecthtmlinto').append(response.renderedHtml);
	}
});

The error I'm getting is:

code "rest_forbidden"
message "Sorry, you are not allowed to do that."
data Object { status: 403 }
status 403

I would really appreciate some help on this.

Andrew Christensen answered 1 year ago
It seems that this is an issue with some level of permission on the role. The only way to "solve" it is to install something like Members plugin where you can edit the granted roles. I am not sure which one I enabled to fix it but I went through and granted pretty much all of the read permissions in addition to some manage options. It's a work-around right now. It seems that perhaps the api module needs to have something added to allow access to non-admin users.
Andrew Christensen answered 1 year ago
@Victor Font Is there any chance you can look into this? The "solution" I had come up with did not work as I'd thought. Really need some help.  
Victor Font replied 1 year ago

Sorry Andrew. I don't have the bandwidth to do a deep dive into your system as a community volunteer. If you want to engage me in a paid project, you can make a request here: https://formidable-masterminds.com/project-application/

Making the Best WordPress Plugin even better - Together

Take on bigger projects with confidence knowing you have access to an entire community of Formidable Experts and Professionals who have your back when the going gets tough. You got this!
Join the community
crossarrow-right