Forum Discussion

MLachapelle's avatar
11 years ago

Bug with session token?

Hi,

 

I have noticed that some request that I do with the session token return an empty success anwser and if I remove the session token I receive the good answer with data.

Example of request with session token:

Request:
 /restapi/v1/boards/id/Setup/threads?restapi.session_key=ZUELDAYXkLATuJ7r0sfQbCKs_6wo75EbG_oDxAGl7kk.

Response:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<response status="success">
<threads/>
</response>

 

The same request but without the session_key:

Request:

http://coveo.demo.lithium.com/restapi/v1/boards/id/Setup/threads
Response:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<response status="success">
<threads>
<thread type="thread" href="/threads/id/4287">
<messages>
<count type="int">3</count>
<topic type="message" href="/messages/id/4287">

....

 

Am I the only one that noticed that?

 

Thanks

  • maybe you are using a different account in REST, which has limited permissions? for example, you are viewing the community in browser as administrator, so you can see all threads via browser, incl private board threads. while in your program/code, your rest api user can only view public threads.

  • As HaidongG is saying I think the problem is:

    If you specify the session token Lithium is trying to perform the call using the user linked to the session which the session token refers to.

    If you don't specify the session token Lithium will use your session cookie to determine what permission to aply to the call. Chances are that you were already logged in as Administrator and for such reason you are getting the right result.

    Probably the user linked to the session token doesn't have permission to access the board you were trying to query.

     

    I hope this helps,

    Nico

3 Replies

  • HaidongG's avatar
    HaidongG
    Lithium Alumni (Retired)
    11 years ago

    maybe you are using a different account in REST, which has limited permissions? for example, you are viewing the community in browser as administrator, so you can see all threads via browser, incl private board threads. while in your program/code, your rest api user can only view public threads.

  • NicoB's avatar
    NicoB
    Lithium Alumni (Retired)
    11 years ago

    As HaidongG is saying I think the problem is:

    If you specify the session token Lithium is trying to perform the call using the user linked to the session which the session token refers to.

    If you don't specify the session token Lithium will use your session cookie to determine what permission to aply to the call. Chances are that you were already logged in as Administrator and for such reason you are getting the right result.

    Probably the user linked to the session token doesn't have permission to access the board you were trying to query.

     

    I hope this helps,

    Nico

  • Thanks a lot for these quick answers.

     

    I found the problem. The problem was that my test user had permission revoked at the community level to read idea exchange and blog  but had read permission for forum post.

    Perhaps the problem is solved, the response that I received when trying to read boards that my user does not have enought permission was a "success" without any data. I think it would be better to receive an error like "permission denied" as in the browser. The message in the browser is:


    "Access Denied" "success" 
    Sorry, you do not have sufficient privileges for that action.

    Please click the Back button on your browser.