Custom script 403 error


#1

No matter what I try I am getting a 403 error when trying to make a custom script. I swear it worked once, the first time, but then never again. The status code is:

403 Forbidden. You have no access to this file or folder.

Even though I have opened everything up… guest user can access scripts and the database table the script is accessing.


#2

How are you trying to create the custom script? From the admin console or from the API? Can you do it from the admin console?


#3

From the admin console.


#4

In the root of your DSP installation check the permissions on storage/.private and sub directories. Here’s what it looks like on my mac.

drwxr-xr-x 3 gta admin 102 Nov 24 15:28 config/
drwxr-xr-x 4 gta admin 136 Nov 25 15:56 scripts/
drwxr-xr-x 2 gta admin 68 Nov 25 11:28 scripts.user/


#5

This is a bitnami install on a windows box. I checked storage/.private and opened up the permissions to no avail…

also this is version 1.8, because bitnami is being weird right now and I can’t download the 1.8.2 update. If that matters.


#6

I still cannot get a script to work.

I can use the API Docs to call “rest/system/script” and I get the json list of scripts:

{
  "resource": [
    {
      "event_name": "createlead",
      "file_mtime": 1416942063,
      "file_name": "createlead.js",
      "file_path": "C:\\Bitnami\\apps\\dreamfactory\\htdocs/storage/.private/scripts.user\\createlead.js",
      "is_user_script": true,
      "language": "js",
      "script": "createlead.js",
      "script_id": "createlead"
    }
  ]
}

but when I try to call the script using POST in the API Docs “rest/system/script/createlead” I get this:

{
  "error": [
    {
      "context": null,
      "message": "The script ID "script.createlead" is not valid or unreadable.",
      "code": 500
    }
  ]
}

What am I doing wrong? Right now the script just returns true and nothing else.


#7

To call a custom script you have to set is_user_script to true. User scripts and custom scripts are the same thing. We’re trying to convert over to say ‘custom scripts’ but as you can see this is not complete.


#8

I dont understand. It looks like is_user_script already is set to true?


#9

My bad, you meant to add this argument when calling the script. OK. so now, when I do that, I get an error: failed to create v8 context.

I assume this means it cannot launch the javascript interpreter, and I assume further this is because its not supported or configured correctly on the windows bitnami install?


#10

You are right there is a problem calling custom scripts from the API docs. We will look into it ASAP. Another way to call a custom script is to go to your DSP test console called test_rest.html.

For example http://localhost:8080/test_rest.html.

For URL enter /rest/system/script/yourscriptname?is_user_script=true.
Set method to POST.
Click Submit.

After trying via the API Docs the scripting engine was not available as you saw, and I had to restart Apache. Then it worked from test_rest.html until I tried it again from the API Docs and it got messed up again. Sorry about this we will figure it out soon.


#11

wow ok thanks that explains why I got it to work the one time and then never again, until I restarted things.


#12

Hi @greywire, I have submitted this problem with the WAMP install package as a bug to our engineers. It is Issue #55 on GitHub, where you may track it and subscribe for updates.

https://github.com/dreamfactorysoftware/dsp-core/issues/55


#13

Hi @greywire, we are working to resolve this issue but are getting inconsistent results across versions and browsers. I cannot get this problem to occur in Windows 8.1, using Chrome or Firefox, and with Bitnami DSP packages 1.8.0-0 or 1.8.2-0.

Could you let me know which OS and browser versions you observed this in?


#14

It was a windows 7 box, with the latest version of chrome.

I’ve since moved to heroku…


#15

Hello Todd,

We are running bitnami DF 1.9.0 on ubuntu 14.04 x64. We are able to call the custom script but get a 403 error.

window.df.apis.system.runScript({
“script_id”: “add”,
“is_user_script”:true
}, function (response) {
alert(“success”);
},function(response){
alert(“error”)
});

Error is:

POST http://df01.systemacorp.com/rest/system/script/add?is_user_script=true 403 (Forbidden)

Here are the permissions on the directories

drwxr-xr-x 2 daemon daemon 225280 Apr 8 03:40 .cache
drwxrwsr-x 2 daemon daemon 4096 Mar 10 04:17 config
-rw-r–r-- 1 daemon daemon 0 Mar 10 03:16 .registration_complete.1fc958a39bb0f6cf859225bd5afe2f5e583326e9
-rw-r–r-- 1 daemon daemon 0 Mar 11 03:12 .registration_complete.693eb7aca861b084772aa50fa09f6b504464ab8d
drwxr-xr-x 2 daemon daemon 4096 Mar 10 03:16 scripts
drwxr-xr-x 2 daemon daemon 4096 Apr 8 03:36 scripts.user

Here are the permissions on the scripts

-rw-r–r-- 1 daemon daemon 42 Apr 8 03:38 add.js
-rw-r–r-- 1 daemon daemon 1 Apr 8 03:36 customscript.js
-rw-r–r-- 1 daemon daemon 64 Apr 8 01:18 delete.js

Do I need execute permissions on the scripts?


#16

Found the cause of 403 error on my previous post. The permission for the Role of the application must be allowed for at least the POST request. Now the script is executing but we are not able to get any parameters from the event object inside the custom script. The event object does not contain the other parameters passed. Is runScript the correct api to use for a custom script?

Here is the df api call:

window.df.apis.system.runScript({
“script_id”: “add”,
“is_user_script”:true,
“n1”: “2”
}, function (response) {
alert(response.script_result);
console.log(response);
},function(response){
alert(response)
console.log(response);
});

This the custom “add” script we used to test if event is null:

return JSON.stringify(event);

results in:

{“is_user_script”:“true”,“path”:“system/script/add”,“tag”:“exposed_event”}

It seems that the parameter n1 is not passed to the event object in the custom script.


#17

@tborja

I tested this "return JSON.stringify(event);"
and I also tested this “return event;”

without going deeper into the PHP code on how custom scripts are being handled - I assume that an event object will not be returned by the custom script.

However, if you just want to test that the parameter is being read by your custom script.
Following the samples in the scripts provided by DSP.

You should try this "return event.n1;"
The n1 value should return under script_result.