dhis2-devs team mailing list archive

Thread
Date

Re: API dataStore - 403 forbidden

To: Halvdan Hoem Grelland <halvdan@xxxxxxxxx>
From: Stian Sandvold <stian@xxxxxxxxx>
Date: Mon, 15 Aug 2016 12:09:54 +0200
Cc: DHIS 2 Developers list <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CACzpmAh+AKCJ5ySf795oyCt5muKnamSdYMQg48BT3syEZXndrw@mail.gmail.com>

Hi,

So the reason you are getting the 403 error is because you don’t have access to the namespace according to the system.

The way namespace access is checked is as follows:

1. No app has reserved the namespace: you have access
2. An app has reserved the namespace, and the user has at least one of the authorities required( as listed by Halvdan): you have access

So most likely there is a problem concerning the naming related to the app, namespace or authorities, so be sure to double and triple check this.

There is another internal check as well that might trigger, but it seems unlikely:
1. Logged in user does no exist (You are not logged in, or there is some problem elsewhere)
2. Your user does not have credentials (Probably a problem elsewhere in the system)
3. The app does not exists (but we know it does)
4. The app does not have a name


Another thing you can test is that you can access the app itself with the problem user. If this works, let me know.

——
Stian Sandvold
Software developer, DHIS 2
University of Oslo
http://www.dhis2.org




> On 12 Aug 2016, at 10:48, Halvdan Hoem Grelland <halvdan@xxxxxxxxx> wrote:
> 
> Also, what is the exact name of the "See ..." authority in the system?
> 
> On Fri, Aug 12, 2016 at 10:44 AM, Halvdan Hoem Grelland <halvdan@xxxxxxxxx <mailto:halvdan@xxxxxxxxx>> wrote:
> Hi again (and sorry for the late reply).
> 
> There seems to be no meaningful changes (that I can find, at least) for this between 2.23 and 2.24, so the difference is most likely down to a difference between the two databases. Did you try the 'working' DB on 2.24?
> 
> Also copying in Stian, who is more familiar with the
> is stuff than I am.
> 
> On Mon, Aug 8, 2016 at 8:53 PM, Olav Poppe <olav.poppe@xxxxxx <mailto:olav.poppe@xxxxxx>> wrote:
> Thanks, the user that gets "403 forbidden" has a user role with only "See <your-appname-here-without-braces>" and "See dashboard..." authorities and nothing else.
> 
> I have the same setup (user role with only "See dashboard..." and "See <your-appname-here-without-braces>") on 2.23 (though different database), but there it works fine.
> 
> Olav
> 
> 
> 
>> 8. aug. 2016 kl. 17.00 skrev Halvdan Hoem Grelland <halvdan@xxxxxxxxx <mailto:halvdan@xxxxxxxxx>>:
>> 
>> In order to access the data store your user needs either of the following:
>> 
>> - The "ALL" authority (i.e. a Superuser)
>> - The "M_dhis-web-maintenance-appmanager" authority (aka. "See apps maintenance module)
>> - The "See <your-appname-here-without-braces>" authority (the implicit app user auth)
>> 
>> I'm guessing your user doesn't have the last one.
>> 
>> On Mon, Aug 8, 2016 at 4:14 PM, Olav Poppe <olav.poppe@xxxxxx <mailto:olav.poppe@xxxxxx>> wrote:
>> Hi devs, 
>> I’m having issues with access to a namespace in api/dataStore on 2.24. It works for superusers, but not with a "regular" user with access to the app that defines the namespace.
>> 
>> I have the following setup:
>> - custom app with this in the manifest.webapp:
>> ...
>> "activities": {
>>         "dhis": {
>>             "href": "http://localhost/stable <http://localhost/stable>",
>>             "namespace": "dataQualityTool"
>>         }
>>     }
>> ...
>> - a user role giving access to this app, which from what I understand should also give access to the namespace defined/reserved by that app??
>> 
>> However, when trying to access the dataStore with a non-superuser, I get a 403 Forbidden response:
>> message: "The namespace 'dataQualityTool' is protected, and you don't have the right authority to access it."
>> 
>> Am I missing or misunderstanding something here? The same setup works on 2.23 on a different database, so I’m not sure if it’s a bug that it works in 2.23, that it does not work in 2.24, or if there is an intentional change from 23 to 24…
>> 
>> Regards
>> Olav
>> 
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-devs <https://launchpad.net/~dhis2-devs>
>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx <mailto:dhis2-devs@xxxxxxxxxxxxxxxxxxx>
>> Unsubscribe : https://launchpad.net/~dhis2-devs <https://launchpad.net/~dhis2-devs>
>> More help   : https://help.launchpad.net/ListHelp <https://help.launchpad.net/ListHelp>
>> 
>> 
>> 
>> 
>> -- 
>> Halvdan Hoem Grelland
>> Software developer, DHIS 2
>> University of Oslo
>> http://www.dhis2.org <https://www.dhis2.org/>
>> 
> 
> 
> 
> 
> -- 
> Halvdan Hoem Grelland
> Software developer, DHIS 2
> University of Oslo
> http://www.dhis2.org <https://www.dhis2.org/>
> 
> 
> 
> 
> -- 
> Halvdan Hoem Grelland
> Software developer, DHIS 2
> University of Oslo
> http://www.dhis2.org <https://www.dhis2.org/>
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs <https://launchpad.net/~dhis2-devs>
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx <mailto:dhis2-devs@xxxxxxxxxxxxxxxxxxx>
> Unsubscribe : https://launchpad.net/~dhis2-devs <https://launchpad.net/~dhis2-devs>
> More help   : https://help.launchpad.net/ListHelp <https://help.launchpad.net/ListHelp>

References

API dataStore - 403 forbidden
From: Olav Poppe, 2016-08-08
Re: API dataStore - 403 forbidden
From: Halvdan Hoem Grelland, 2016-08-08
Re: API dataStore - 403 forbidden
From: Olav Poppe, 2016-08-08
Re: API dataStore - 403 forbidden
From: Halvdan Hoem Grelland, 2016-08-12
Re: API dataStore - 403 forbidden
From: Halvdan Hoem Grelland, 2016-08-12