Permission denied when searching

JJTL · Sep 27, 2017

Sometimes when searching I seem to get a permission denied error.

Here's a screenshot and the relevant JSON response

{"errors":[{"status":"401","code":"permission_denied"}]}

Thanks

Slacor · Sep 27, 2017

Hmm. Tricky.
I assume searches prior and post work ok?

JJTL · Sep 27, 2017

Posting works, trying a random search doesn't. I think the search still works if I reload the page though.

EeDenon · Sep 28, 2017

While searching, it will automatically query USERS and ~~POSTS~~ (DISCUSSIONS), but the admin has set the permission of user list. So the above happened...

Set the permission of user list to be publicly accessed can solve this issue (in admin panel)

Slacor · Sep 29, 2017

I changed it to members.
Not sure if there's any risk of spam by making it publicly available.
Anyway to check what's being revealed in those requests (eg. email address)?

JJTL · Sep 29, 2017

Slacor I'll take a look in a bit

EeDenon · Oct 2, 2017

It requests this URL: https://ledstrain.org/api/users

Here is the content of "users"

{
"type":"users",
"id":"10",
"attributes":{
	"username":"xxxx",
	"avatarUrl":null,
	"bio":null,
	"joinTime":"2016-10-00T13:13:41+00:00",
	"discussionsCount":0,
	"commentsCount":2,
	"canEdit":false,
	"canDelete":false,
	"lastSeenTime":"2017-07-00T02:19:38+00:00",
	"canSuspend":false
	},
"relationships":{
	"groups":{"data":[]}
	}
}

So, no email included, it's safe.

I think it's a bug, and Flarum Team might fix it at the next release. @Slacor

JJTL · Oct 2, 2017

eDenon Yup. I was going to post that. I already checked but was busy with other things.

Thanks.