Local File Storage Upload 403 Forbidden Error


I am trying to upload a file to local file storage using the standard API setup by the Dreamfactory install. Currently, I’m using the cloud version of the API.

Admin Application Version: 2.0.5
DreamFactory Version: 2.0.2

My application is an AngularJS app that uses the API for login (the accounts were setup in the Users interface in DF). Here are my steps:

  1. Created the App in DF
  2. Created the roles in DF and gave access to the necessary API. In this case, I gave the admin role files/, files/sub_dir/, and files/sub_dir/ access
  3. Created the users, one I assigned admin access, the other is just a plain user, which only has access to login and GET files
  4. Setup CORS for all domains to make sure it was accessible.

I am using an angularjs upload plugin (https://github.com/danialfarid/ng-file-upload), but also viewed the link here which is very similar: https://github.com/dreamfactorysoftware/dsp-core/wiki/File-Storage-Services.

So i am able to login just fine with both accounts, but keep getting a 403 forbidden error when I attempt to upload a file. I am sending the session token in the header after login using X-Dreamfactory-Session-Token and I’ve also tried just sending in the app name both in the header with X-Dreamfactory-Application-Name and also as a query string. No dice.

The endpoint is in format: http://myserver/api/v2/files/{container}/

Any ideas what I am doing incorrectly?


I had the same over the last couple days, but cannot remember exactly what I did to fix it. I probably has to do with the url that you’re using if i remember correctly or maybe the content of the file used under data. In the end I’m using not Angular but Jquery to get it done. I’m not sure how good the code is, but it is working for me:

var AP = “-your app key-”;
var UT = “-session token-”;
var fileext = ".jpg"
var filename = “something”;

	type: 'POST', 
	beforeSend: function(request) {
		request.setRequestHeader('X-DreamFactory-Api-Key', AP);
		request.setRequestHeader('X-DreamFactory-Session-Token', UT);
		request.setRequestHeader("Content-Type", file.type);
	//note that i'm using a subfolder called files under the default container
	url: '//your-server name-/api/v2/files/files/' + filename + fileext + '?check_exist=true',
	data: file,
	cache: false,
	processData: false,
	success: function(response) {
	error: function(xhr, ajaxOptions, thrownError) { 


The “file” object is coming from a standard file picker. Hope it helps one way or the other