Contrib.social

JSON:API PATCH request wants permission that doesn't exist?

Open on Drupal.org β†’
Created on 21 May 2021, over 3 years ago
Updated 2 October 2023, about 1 year ago

Problem/Motivation

Altering a message instance through JSON:API fails with a "403 Forbidden" error unless the user running the PATCH request has the "Bypass message access control" permission. Assigning the template-specific or any-template "Edit" permission has no effect on JSON:API PATCH requests. Strangely, the full 403 error states that the "update [name_of_template] message" permission is required, which suggests that somewhere there's confusion between "editing" and "updating", although I'm new enough to Drupal that I wasn't able to find the source of the problem.

For what it's worth, the Create, View, and Delete permissions appear to be working just fine.

Steps to reproduce

  1. Install the Message UI and JSON:API modules
  2. Configure JSON:API to allow creation, updates, and deletes
  3. Create a new Message Template
  4. Create an instance of the new Message Template
  5. Give a non-administrative user the "[Message Template] Message: Edit a message instance" permission
  6. Try to update the message using a JSON:API PATCH request (this will fail with a 403 error)
  7. Give a non-administrative user the "Edit any message template" permission
  8. Try to update the message using a JSON:API PATCH request (this will fail with a 403 error)
  9. Give a non-administrative user the "Bypass message access control" permission
  10. Try to update the message using a JSON:API PATCH request (this will succeed)
πŸ› Bug report
Status

Fixed

Component

Code

Created by

πŸ‡¨πŸ‡¦Canada russell-ault

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024