Error: Permission denied for action get on class _User

enodev · November 9, 2021, 2:46pm

Hi guys,

I would use some help properly setting up ACL for my user class.

I currently have the following user (unrelated fields omitted for clarity):

{ "_id" : "l0HvshPwd5", "_wperm" : [ "l0HvshPwd5" ], "_rperm" : [ "*", "l0HvshPwd5" ], "_acl" : { "l0HvshPwd5" : { "w" : true, "r" : true }, "*" : { "r" : true } } }

This looks to me like everybody can read that user, and only the user itself can modify itself.

I then have a session token for that user.

When I try to GET /users/me with the session token, I correctly receive the info about the user.

When I try to GET /users/l0HvshPwd5 with the appropriate session token I get an error: error: Permission denied for action get on class _User..

I would like to understand what I am missing so that each user can query itself not only via /users/me but also via /users/<id>.

Looking at my _SCHEMA for user, I do have the following permissions setup:

"class_permissions" : { "get" : {  }, "find" : {  }, "count" : {  }, "create" : { "*" : true }, "update" : {  }, "delete" : {  }, "addField" : {  } } }

could you please help? I am little confused about the ACL right now.

thanks,
Martin

uzaysan · November 9, 2021, 2:54pm

I think its class level permission issue. Try to change settings on dashboard for user class.

enodev · November 9, 2021, 3:20pm

For anybody following along, it was indeed a CLP issue. The correct setting seems to be the "requiresAuthentication" : true passed in for the get:

"class_permissions" : { "get" : { "requiresAuthentication" : true }, "find" : {  }, "count" : {  }, "create" : { "*" : true }, "update" : {  }, "delete" : {  }, "addField" : {  }, "protectedFields" : {  } } }