User getting 403 response when they shouldn't be


#1

Windows 2.0.1-1 bitnami installation
I have created a role with the following information:


I have then assigned that role to a user in each category: admin, swagger, and filemanager

I have logged in to to the user session endpoint with the users’s username and password:

http://localhost:80/api/v2/user/session
Body:
{
  "email": "",
  "password": "",
  "duration": 0
}

I then get back an accessToken and try to send the following request

http://localhost:80/api/v2/exampleService/_table/exampleTable/exampleID?id_field=exampleIDfield
headers:
  X-DreamFactory-Session-Token: TokenHere

When I send that request I get the following 403 access forbidden response:

{
  "error": {
"context": null,
"message": "Access Forbidden.",
"code": 403,
"trace": [
  "0 [internal function]: DreamFactory\Http\Middleware\AccessCheck->handle(Object(Illuminate\Http\Request), Object(Closure))",
  "1 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(9545): call_user_func_array(Array, Array)",
  "2 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))",
  "3 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(9535): call_user_func(Object(Closure), Object(Illuminate\Http\Request))",
  "4 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(8892): Illuminate\Pipeline\Pipeline->then(Object(Closure))",
  "5 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(8877): Illuminate\Routing\ControllerDispatcher->callWithinStack(Object(DreamFactory\Http\Controllers\RestController), Object(Illuminate\Routing\Route), Object(Illuminate\Http\Request), 'handleGET')",
  "6 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(7831): Illuminate\Routing\ControllerDispatcher->dispatch(Object(Illuminate\Routing\Route), Object(Illuminate\Http\Request), 'DreamFactory\\Ht...', 'handleGET')",
  "7 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(7802): Illuminate\Routing\Route->runWithCustomDispatcher(Object(Illuminate\Http\Request))",
  "8 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(7455): Illuminate\Routing\Route->run(Object(Illuminate\Http\Request))",
  "9 [internal function]: Illuminate\Routing\Router->Illuminate\Routing\{closure}(Object(Illuminate\Http\Request))",
  "10 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(9553): call_user_func(Object(Closure), Object(Illuminate\Http\Request))",
  "11 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))",
  "12 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(9535): call_user_func(Object(Closure), Object(Illuminate\Http\Request))",
  "13 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(7456): Illuminate\Pipeline\Pipeline->then(Object(Closure))",
  "14 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(7444): Illuminate\Routing\Router->runRouteWithinStack(Object(Illuminate\Routing\Route), Object(Illuminate\Http\Request))",
  "15 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(7429): Illuminate\Routing\Router->dispatchToRoute(Object(Illuminate\Http\Request))",
  "16 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(2304): Illuminate\Routing\Router->dispatch(Object(Illuminate\Http\Request))",
  "17 [internal function]: Illuminate\Foundation\Http\Kernel->Illuminate\Foundation\Http\{closure}(Object(Illuminate\Http\Request))",
  "18 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(9553): call_user_func(Object(Closure), Object(Illuminate\Http\Request))",
  "19 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\vendor\barryvdh\laravel-cors\src\HandleCors.php(43): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))",
  "20 [internal function]: Barryvdh\Cors\HandleCors->handle(Object(Illuminate\Http\Request), Object(Closure))",
  "21 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(9545): call_user_func_array(Array, Array)",
  "22 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(17932): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))",
  "23 [internal function]: DreamFactory\Http\Middleware\FirstUserCheck->handle(Object(Illuminate\Http\Request), Object(Closure))",
  "24 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(9545): call_user_func_array(Array, Array)",
  "25 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(12881): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))",
  "26 [internal function]: Illuminate\View\Middleware\ShareErrorsFromSession->handle(Object(Illuminate\Http\Request), Object(Closure))",
  "27 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(9545): call_user_func_array(Array, Array)",
  "28 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(11504): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))",
  "29 [internal function]: Illuminate\Session\Middleware\StartSession->handle(Object(Illuminate\Http\Request), Object(Closure))",
  "30 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(9545): call_user_func_array(Array, Array)",
  "31 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(12622): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))",
  "32 [internal function]: Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse->handle(Object(Illuminate\Http\Request), Object(Closure))",
  "33 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(9545): call_user_func_array(Array, Array)",
  "34 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(12561): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))",
  "35 [internal function]: Illuminate\Cookie\Middleware\EncryptCookies->handle(Object(Illuminate\Http\Request), Object(Closure))",
  "36 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(9545): call_user_func_array(Array, Array)",
  "37 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(2978): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))",
  "38 [internal function]: Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode->handle(Object(Illuminate\Http\Request), Object(Closure))",
  "39 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(9545): call_user_func_array(Array, Array)",
  "40 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))",
  "41 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(9535): call_user_func(Object(Closure), Object(Illuminate\Http\Request))",
  "42 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(2251): Illuminate\Pipeline\Pipeline->then(Object(Closure))",
  "43 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\bootstrap\cache\compiled.php(2234): Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter(Object(Illuminate\Http\Request))",
  "44 C:\Bitnami\dreamfactory-2.0.1-1\apps\dreamfactory\htdocs\public\index.php(53): Illuminate\Foundation\Http\Kernel->handle(Object(Illuminate\Http\Request))",
  "45 {main}"
]
      }
    }

I would like to note that when I log in as an admin using the admin session endpoint and use that session token to send the identical get request it works as it should. Also when I log in with this user through the dashboard and use swagger to send request it works fine as well.


#2

This issue is solved when I attached the swagger api key along with a non-admin user request:

http://localhost:80/api/v2/exampleService/_table/exampleTable/exampleID?id_field=exampleIDfield
headers:
  X-DreamFactory-Session-Token: TokenHere
  X-Dreamfactory-api-key: swaggerAPIkeyHere

This is something I do not have to include when I send the request with an admin user. Is the intended or did I stumble upon a workaround?

when I create a service should I also create an “app” on the dashboard for that service then use that api key with requests? If so how would I go about making an app that is for a service?


#3

Hello @JamesBedont, according to the doc, “API key is required in most REST calls, (except session management and some system calls)”

My suggestion is to create a generic App for use in requests that do not fit into existing Apps.


#4

@juniorconte I noticed that in the documentation however I haven’t created an app. I created a service.

my confusion was two fold:

  1. I was sending request that were working fine with an admin session token without including an api key header. so that was inconsistent with the documentation.
  2. I created a service for a database not an ‘app’ it seems only app’s have api keys associated with them. So when I see the documentation say to include an api key I was unsure as to which key was to be included seeing as what I had created did not have an api key.
  3. When I looked at the description of the swagger app it says it “allows viewing and testing of api documentation”. I was looking to actually make api calls to my service externally. so reading that didn’t makes it clear it was relevant to my goals.

I will look in to your suggestion thank you very much. I now understand how to move forward.