Correct /api/roles API to respond with 403 Forbidden (not 401 Unauthorized) when auth is good but no permission #11116
Conversation
pdurbin
added
Size: 10
This comment has been minimized.
This comment has been minimized.
1 similar comment
This comment has been minimized.
This comment has been minimized.
pdurbin
force-pushed
the
10340-forbidden
branch
from
76e27f3 to
caa00fb
Compare
This comment has been minimized.
This comment has been minimized.
pdurbin
changed the title
This comment has been minimized.
This comment has been minimized.
| Shows the role with ``id``:: | ||
| You must have ``ManageDataversePermissions`` to be able to show a role that was created using :ref:`create-role-in-collection`. Global roles (:ref:`create-global-role`) only be shown with a superuser API token. | ||
|
|
||
| A curl example using an ``ID``: |
There was a problem hiding this comment.
Should we say that you may also use a role's alias?
There was a problem hiding this comment.
@sekmiller it didn't work for me. This is what I put in the description of this PR:
"Also, the "Show Role" code suggests that aliases are supported but they don't seem to work. So when I updated the docs I made sure to use an example with an ID."
There was a problem hiding this comment.
This does work - curl -H "X-Dataverse-key:$API_TOKEN" "$SERVER_URL/api/roles/:alias?alias=admin"
Is it worth documenting?
There was a problem hiding this comment.
@sekmiller yes, as discussed in person. Good catch. Please see the commit message in d4f9189 where I added this and made a few more improvements while I was in there.
- missing JSON header added - smart quotes changed to straight - more consistency - typos fixed
This comment has been minimized.
This comment has been minimized.
1 similar comment
|
📦 Pushed preview images as 🚢 See on GHCR. Use by referencing with full name as printed above, mind the registry name. |
|
|
|
Dont know if its related to this ticket but here is an observation I had. I am unable to edit the name of a newly created role. Says, The role was not able to be saved. Role with this alias already exists. – Steps to Reproduce:
Screen.Recording.2025-01-15.at.4.19.03.PM.mov |
What this PR does / why we need it:
The Show Role API endpoint was returning 401 Unauthorized when a permission check failed. This has been corrected to return 403 Forbidden instead. That is, the API token is known to be good (401 otherwise) but the user lacks permission (403 is now sent). See also the API Changelog.
Which issue(s) this PR closes:
Special notes for your reviewer:
Only the one API endpoint was affected by this change:
I added a test for it.
Also, the "Show Role" code suggests that aliases are supported but they don't seem to work. So when I updated the docs I made sure to use an example with an ID.
Suggestions on how to test this:
Try the "Show Role" API and check if the status code is 403 or 401. See the updated docs for global roles vs roles that are created in a collection. It's a bit confusing, to be honest. 😬
Does this PR introduce a user interface change? If mockups are available, please link/include them here:
No.
Is there a release notes update needed for this change?:
Yes, included.
Additional documentation:
I updated the Show Role docs while I was in there: https://dataverse-guide--11116.org.readthedocs.build/en/11116/api/native-api.html#show-role