API dataStore - 403 forbidden

Hi devs,
I’m having issues with access to a namespace in api/dataStore on 2.24. It works for superusers, but not with a “regular” user with access to the app that defines the namespace.

I have the following setup:

  • custom app with this in the manifest.webapp:

“activities”: {

    "dhis": {

        "href": "[http://localhost/stable](http://localhost/stable)",

        "namespace": "dataQualityTool"

    }

}

  • a user role giving access to this app, which from what I understand should also give access to the namespace defined/reserved by that app??

However, when trying to access the dataStore with a non-superuser, I get a 403 Forbidden response:

  • message: “The namespace ‘dataQualityTool’ is protected, and you don’t have the right authority to access it.”

Am I missing or misunderstanding something here? The same setup works on 2.23 on a different database, so I’m not sure if it’s a bug that it works in 2.23, that it does not work in 2.24, or if there is an intentional change from 23 to 24…

Regards

Olav

In order to access the data store your user needs either of the following:

  • The “ALL” authority (i.e. a Superuser)

  • The “M_dhis-web-maintenance-appmanager” authority (aka. "See apps maintenance module)

  • The "See " authority (the implicit app user auth)

I’m guessing your user doesn’t have the last one.

···

On Mon, Aug 8, 2016 at 4:14 PM, Olav Poppe olav.poppe@me.com wrote:

Hi devs,
I’m having issues with access to a namespace in api/dataStore on 2.24. It works for superusers, but not with a “regular” user with access to the app that defines the namespace.

I have the following setup:

  • custom app with this in the manifest.webapp:

“activities”: {

    "dhis": {
        "href": "[http://localhost/stable](http://localhost/stable)",
        "namespace": "dataQualityTool"
    }
}

  • a user role giving access to this app, which from what I understand should also give access to the namespace defined/reserved by that app??

However, when trying to access the dataStore with a non-superuser, I get a 403 Forbidden response:

  • message: “The namespace ‘dataQualityTool’ is protected, and you don’t have the right authority to access it.”

Am I missing or misunderstanding something here? The same setup works on 2.23 on a different database, so I’m not sure if it’s a bug that it works in 2.23, that it does not work in 2.24, or if there is an intentional change from 23 to 24…

Regards

Olav


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Halvdan Hoem Grelland

Software developer, DHIS 2

University of Oslo

http://www.dhis2.org

Thanks, the user that gets “403 forbidden” has a user role with only "See " and “See dashboard…” authorities and nothing else.

I have the same setup (user role with only “See dashboard…” and "See ") on 2.23 (though different database), but there it works fine.

Olav

···

On Mon, Aug 8, 2016 at 4:14 PM, Olav Poppe olav.poppe@me.com wrote:

Hi devs,
I’m having issues with access to a namespace in api/dataStore on 2.24. It works for superusers, but not with a “regular” user with access to the app that defines the namespace.

I have the following setup:

  • custom app with this in the manifest.webapp:

“activities”: {

    "dhis": {
        "href": "[http://localhost/stable](http://localhost/stable)",
        "namespace": "dataQualityTool"
    }
}

  • a user role giving access to this app, which from what I understand should also give access to the namespace defined/reserved by that app??

However, when trying to access the dataStore with a non-superuser, I get a 403 Forbidden response:

  • message: “The namespace ‘dataQualityTool’ is protected, and you don’t have the right authority to access it.”

Am I missing or misunderstanding something here? The same setup works on 2.23 on a different database, so I’m not sure if it’s a bug that it works in 2.23, that it does not work in 2.24, or if there is an intentional change from 23 to 24…

Regards

Olav


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Halvdan Hoem Grelland

Software developer, DHIS 2

University of Oslo

http://www.dhis2.org

Hi again (and sorry for the late reply).

There seems to be no meaningful changes (that I can find, at least) for this between 2.23 and 2.24, so the difference is most likely down to a difference between the two databases. Did you try the ‘working’ DB on 2.24?

Also copying in Stian, who is more familiar with the

is stuff than I am.

···

On Mon, Aug 8, 2016 at 8:53 PM, Olav Poppe olav.poppe@me.com wrote:

I have the same setup (user role with only “See dashboard…” and "See ") on 2.23 (though different database), but there it works fine.

Olav

  1. aug. 2016 kl. 17.00 skrev Halvdan Hoem Grelland halvdan@dhis2.org:

In order to access the data store your user needs either of the following:

  • The “ALL” authority (i.e. a Superuser)
  • The “M_dhis-web-maintenance-appmanager” authority (aka. "See apps maintenance module)
  • The "See " authority (the implicit app user auth)

I’m guessing your user doesn’t have the last one.

Thanks, the user that gets “403 forbidden” has a user role with only "See " and “See dashboard…” authorities and nothing else.

On Mon, Aug 8, 2016 at 4:14 PM, Olav Poppe olav.poppe@me.com wrote:

Hi devs,
I’m having issues with access to a namespace in api/dataStore on 2.24. It works for superusers, but not with a “regular” user with access to the app that defines the namespace.

I have the following setup:

  • custom app with this in the manifest.webapp:

“activities”: {

    "dhis": {
        "href": "[http://localhost/stable](http://localhost/stable)",
        "namespace": "dataQualityTool"
    }
}

  • a user role giving access to this app, which from what I understand should also give access to the namespace defined/reserved by that app??

However, when trying to access the dataStore with a non-superuser, I get a 403 Forbidden response:

  • message: “The namespace ‘dataQualityTool’ is protected, and you don’t have the right authority to access it.”

Am I missing or misunderstanding something here? The same setup works on 2.23 on a different database, so I’m not sure if it’s a bug that it works in 2.23, that it does not work in 2.24, or if there is an intentional change from 23 to 24…

Regards

Olav


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Halvdan Hoem Grelland

Software developer, DHIS 2

University of Oslo

http://www.dhis2.org

Halvdan Hoem Grelland

Software developer, DHIS 2

University of Oslo

http://www.dhis2.org

Also, what is the exact name of the “See …” authority in the system?

···

On Fri, Aug 12, 2016 at 10:44 AM, Halvdan Hoem Grelland halvdan@dhis2.org wrote:

Hi again (and sorry for the late reply).

There seems to be no meaningful changes (that I can find, at least) for this between 2.23 and 2.24, so the difference is most likely down to a difference between the two databases. Did you try the ‘working’ DB on 2.24?

Also copying in Stian, who is more familiar with the

is stuff than I am.

On Mon, Aug 8, 2016 at 8:53 PM, Olav Poppe olav.poppe@me.com wrote:

I have the same setup (user role with only “See dashboard…” and "See ") on 2.23 (though different database), but there it works fine.

Olav

  1. aug. 2016 kl. 17.00 skrev Halvdan Hoem Grelland halvdan@dhis2.org:

In order to access the data store your user needs either of the following:

  • The “ALL” authority (i.e. a Superuser)
  • The “M_dhis-web-maintenance-appmanager” authority (aka. "See apps maintenance module)
  • The "See " authority (the implicit app user auth)

I’m guessing your user doesn’t have the last one.

Thanks, the user that gets “403 forbidden” has a user role with only "See " and “See dashboard…” authorities and nothing else.


Halvdan Hoem Grelland

Software developer, DHIS 2

University of Oslo

http://www.dhis2.org

On Mon, Aug 8, 2016 at 4:14 PM, Olav Poppe olav.poppe@me.com wrote:

Hi devs,
I’m having issues with access to a namespace in api/dataStore on 2.24. It works for superusers, but not with a “regular” user with access to the app that defines the namespace.

I have the following setup:

  • custom app with this in the manifest.webapp:

“activities”: {

    "dhis": {
        "href": "[http://localhost/stable](http://localhost/stable)",
        "namespace": "dataQualityTool"
    }
}

  • a user role giving access to this app, which from what I understand should also give access to the namespace defined/reserved by that app??

However, when trying to access the dataStore with a non-superuser, I get a 403 Forbidden response:

  • message: “The namespace ‘dataQualityTool’ is protected, and you don’t have the right authority to access it.”

Am I missing or misunderstanding something here? The same setup works on 2.23 on a different database, so I’m not sure if it’s a bug that it works in 2.23, that it does not work in 2.24, or if there is an intentional change from 23 to 24…

Regards

Olav


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Halvdan Hoem Grelland

Software developer, DHIS 2

University of Oslo

http://www.dhis2.org

Halvdan Hoem Grelland

Software developer, DHIS 2

University of Oslo

http://www.dhis2.org

Hi,

So the reason you are getting the 403 error is because you don’t have access to the namespace according to the system.

The way namespace access is checked is as follows:

  1. No app has reserved the namespace: you have access

  2. An app has reserved the namespace, and the user has at least one of the authorities required( as listed by Halvdan): you have access

So most likely there is a problem concerning the naming related to the app, namespace or authorities, so be sure to double and triple check this.

There is another internal check as well that might trigger, but it seems unlikely:

  1. Logged in user does no exist (You are not logged in, or there is some problem elsewhere)

  2. Your user does not have credentials (Probably a problem elsewhere in the system)

  3. The app does not exists (but we know it does)

  4. The app does not have a name

Another thing you can test is that you can access the app itself with the problem user. If this works, let me know.

···

On Fri, Aug 12, 2016 at 10:44 AM, Halvdan Hoem Grelland halvdan@dhis2.org wrote:

Hi again (and sorry for the late reply).

There seems to be no meaningful changes (that I can find, at least) for this between 2.23 and 2.24, so the difference is most likely down to a difference between the two databases. Did you try the ‘working’ DB on 2.24?

Also copying in Stian, who is more familiar with the

is stuff than I am.

On Mon, Aug 8, 2016 at 8:53 PM, Olav Poppe olav.poppe@me.com wrote:

I have the same setup (user role with only “See dashboard…” and "See ") on 2.23 (though different database), but there it works fine.

Olav

  1. aug. 2016 kl. 17.00 skrev Halvdan Hoem Grelland halvdan@dhis2.org:

In order to access the data store your user needs either of the following:

  • The “ALL” authority (i.e. a Superuser)
  • The “M_dhis-web-maintenance-appmanager” authority (aka. "See apps maintenance module)
  • The "See " authority (the implicit app user auth)

I’m guessing your user doesn’t have the last one.

Thanks, the user that gets “403 forbidden” has a user role with only "See " and “See dashboard…” authorities and nothing else.


Halvdan Hoem Grelland

Software developer, DHIS 2

University of Oslo

http://www.dhis2.org

On Mon, Aug 8, 2016 at 4:14 PM, Olav Poppe olav.poppe@me.com wrote:

Hi devs,
I’m having issues with access to a namespace in api/dataStore on 2.24. It works for superusers, but not with a “regular” user with access to the app that defines the namespace.

I have the following setup:

  • custom app with this in the manifest.webapp:

“activities”: {

    "dhis": {
        "href": "[http://localhost/stable](http://localhost/stable)",
        "namespace": "dataQualityTool"
    }
}

  • a user role giving access to this app, which from what I understand should also give access to the namespace defined/reserved by that app??

However, when trying to access the dataStore with a non-superuser, I get a 403 Forbidden response:

  • message: “The namespace ‘dataQualityTool’ is protected, and you don’t have the right authority to access it.”

Am I missing or misunderstanding something here? The same setup works on 2.23 on a different database, so I’m not sure if it’s a bug that it works in 2.23, that it does not work in 2.24, or if there is an intentional change from 23 to 24…

Regards

Olav


Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp


Halvdan Hoem Grelland

Software developer, DHIS 2

University of Oslo

http://www.dhis2.org

Halvdan Hoem Grelland

Software developer, DHIS 2

University of Oslo

http://www.dhis2.org