Andrew Christensen asked 1 year ago
We have a site in development and we are using javascript to call the API to fetch a few rendered html for some views.
I used the API key to generate the basic auth key.
When a non logged in users browses the site and clicks a particular link, we have an off canvas layer come out and the javascript fetches the information via the API to fill in the canvas with rendered html. This works perfectly.
Same thing happens if the user is logged in but ONLY if the user is an Administrator. ALL other roles result in 403 errors. I can't give every user Administrator privileges. This feels like a bug to me because if I have the auth key programmed into my code, regardless of the user, it should work.
Would appreciate any help you can provide.
Victor Font Staff answered 1 year ago
How are you fetching the information in JavaScript with the REST API?
Andrew Christensen
replied 1 year ago Yes. Using jQuery and including the beforeSend with the basic auth. Again it works if the user is either not logged in or is an administrator. But if logged in and a different role (editor, author, contributor etc) it says it's not authorized.
Andrew Christensen
replied 1 year ago Any ideas? We are blocked from going live with this site due to this bug.
Andrew Christensen
replied 1 year ago To be clear the message we are getting is "Sorry, you are not allowed to do that."
Andrew Christensen
replied 1 year ago Oh just a bit more context. This only seems to affect either GET endpoints or possibly just the /views endpoints. I am able to run the PATCH and DELETE endpoints without error.
Andrew Christensen answered 1 year ago
This code works fine:
jQuery.ajax({
type: 'PATCH',
url: '/wp-json/frm/v2/entries/'+posting_id,
dataType: 'json',
beforeSend: function ( xhr ) {
xhr.setRequestHeader( 'Authorization', 'Basic MyEncodedApiKey==');
},
success: function(response) {
// do my thing here.
}
});
This code causes an error (same user, same session, same role, same page):
jQuery.ajax({
url: '/wp-json/frm/v2/views/4290',
type: 'GET',
dataType: 'json',
data: {'restaurant' : restaurant},
beforeSend: function ( xhr ) {
xhr.setRequestHeader( 'Authorization', 'Basic MyEncodedApiKey==');
},
success: function(response) {
jQuery('#objecttoinjecthtmlinto').append(response.renderedHtml);
}
});
The error I'm getting is:
code "rest_forbidden"
message "Sorry, you are not allowed to do that."
data Object { status: 403 }
status 403
I would really appreciate some help on this.
Andrew Christensen answered 1 year ago
It seems that this is an issue with some level of permission on the role. The only way to "solve" it is to install something like Members plugin where you can edit the granted roles. I am not sure which one I enabled to fix it but I went through and granted pretty much all of the read permissions in addition to some manage options. It's a work-around right now. It seems that perhaps the api module needs to have something added to allow access to non-admin users.
Andrew Christensen answered 1 year ago
@Victor Font Is there any chance you can look into this? The "solution" I had come up with did not work as I'd thought.
Really need some help.
Sorry Andrew. I don't have the bandwidth to do a deep dive into your system as a community volunteer. If you want to engage me in a paid project, you can make a request here: https://formidable-masterminds.com/project-application/
Please login or Register to submit your answer