• MetaBug
  • Permission denied when searching

Sometimes when searching I seem to get a permission denied error.

Here's a screenshot and the relevant JSON response

{"errors":[{"status":"401","code":"permission_denied"}]}

Thanks

Hmm. Tricky.
I assume searches prior and post work ok?

Posting works, trying a random search doesn't. I think the search still works if I reload the page though.

While searching, it will automatically query USERS and POSTS (DISCUSSIONS), but the admin has set the permission of user list. So the above happened...

Set the permission of user list to be publicly accessed can solve this issue (in admin panel)

I changed it to members.
Not sure if there's any risk of spam by making it publicly available.
Anyway to check what's being revealed in those requests (eg. email address)?

  • JTL replied to this.

    It requests this URL: https://ledstrain.org/api/users

    Here is the content of "users"

    {
    "type":"users",
    "id":"10",
    "attributes":{
    	"username":"xxxx",
    	"avatarUrl":null,
    	"bio":null,
    	"joinTime":"2016-10-00T13:13:41+00:00",
    	"discussionsCount":0,
    	"commentsCount":2,
    	"canEdit":false,
    	"canDelete":false,
    	"lastSeenTime":"2017-07-00T02:19:38+00:00",
    	"canSuspend":false
    	},
    "relationships":{
    	"groups":{"data":[]}
    	}
    }

    So, no email included, it's safe.

    I think it's a bug, and Flarum Team might fix it at the next release. @Slacor

    • JTL replied to this.

      eDenon Yup. I was going to post that. I already checked but was busy with other things.

      Thanks.

      2 years later
      dev