SIGN UP

API Only works for Administrator and non logged in users

By: Andrew Christensen | Asked: 09/08/2023
ForumsCategory: Code HelpAPI Only works for Administrator and non logged in users
0 Vote Up Vote Down
Andrew Christensen asked 11 months ago
We have a site in development and we are using javascript to call the API to fetch a few rendered html for some views. I used the API key to generate the basic auth key. When a non logged in users browses the site and clicks a particular link, we have an off canvas layer come out and the javascript fetches the information via the API to fill in the canvas with rendered html. This works perfectly. Same thing happens if the user is logged in but ONLY if the user is an Administrator. ALL other roles result in 403 errors. I can't give every user Administrator privileges. This feels like a bug to me because if I have the auth key programmed into my code, regardless of the user, it should work. Would appreciate any help you can provide.
4 Answers
0 Vote Up Vote Down
Victor Font answered 11 months ago
How are you fetching the information in JavaScript with the REST API?
Andrew Christensen replied 11 months ago

Yes. Using jQuery and including the beforeSend with the basic auth. Again it works if the user is either not logged in or is an administrator. But if logged in and a different role (editor, author, contributor etc) it says it's not authorized.

Andrew Christensen replied 11 months ago

Any ideas? We are blocked from going live with this site due to this bug.

Andrew Christensen replied 11 months ago

To be clear the message we are getting is "Sorry, you are not allowed to do that."

Andrew Christensen replied 11 months ago

Oh just a bit more context. This only seems to affect either GET endpoints or possibly just the /views endpoints. I am able to run the PATCH and DELETE endpoints without error.

0 Vote Up Vote Down
Andrew Christensen answered 11 months ago

This code works fine:

jQuery.ajax({
	type: 'PATCH',
	url: '/wp-json/frm/v2/entries/'+posting_id,
	dataType: 'json',
	beforeSend: function ( xhr ) {
		xhr.setRequestHeader( 'Authorization', 'Basic MyEncodedApiKey==');
	},
	success: function(response) {
		// do my thing here.
	}
});


This code causes an error (same user, same session, same role, same page):

jQuery.ajax({
	url: '/wp-json/frm/v2/views/4290',
	type: 'GET',
	dataType: 'json',
	data: {'restaurant' : restaurant},
	beforeSend: function ( xhr ) {
		xhr.setRequestHeader( 'Authorization', 'Basic MyEncodedApiKey==');
	},
	success: function(response) {
		jQuery('#objecttoinjecthtmlinto').append(response.renderedHtml);
	}
});

The error I'm getting is: 

code "rest_forbidden"
message "Sorry, you are not allowed to do that."
data Object { status: 403 }
status 403

I would really appreciate some help on this.

0 Vote Up Vote Down
Andrew Christensen answered 11 months ago
It seems that this is an issue with some level of permission on the role. The only way to "solve" it is to install something like Members plugin where you can edit the granted roles. I am not sure which one I enabled to fix it but I went through and granted pretty much all of the read permissions in addition to some manage options. It's a work-around right now. It seems that perhaps the api module needs to have something added to allow access to non-admin users.
0 Vote Up Vote Down
Andrew Christensen answered 10 months ago
@Victor Font Is there any chance you can look into this? The "solution" I had come up with did not work as I'd thought. Really need some help.  
Victor Font replied 10 months ago

Sorry Andrew. I don't have the bandwidth to do a deep dive into your system as a community volunteer. If you want to engage me in a paid project, you can make a request here: https://formidable-masterminds.com/project-application/

Making the Best WordPress Plugin even better - Together

Take on bigger projects with confidence knowing you have access to an entire community of Formidable Experts and Professionals who have your back when the going gets tough. You got this!
Join the community
crossarrow-right