search

Esri / solution.js

TypeScript wrappers running in Node.js and modern browsers for transferring ArcGIS Online items from one organization to another.
https://esri.github.io/solution.js/
Apache License 2.0
38 stars 11 forks source link

External Feature Layers cannot be templatized #580

Open rweber-esri opened 3 years ago

rweber-esri commented 3 years ago

Solutions.js currently fails when attempting to templatize a publicly accessible Feature Layer from an external org.

Steps to reproduce:

  1. As any user in Org A, create a new Feature Layer, add some features, and publicly share
  2. Create a new Web Map, add the Feature Layer from step 1, and publicly share
  3. As an admin user in Org B, attempt to templatize the webmap.
  4. Observe Solutions.js fails to templatize the items.

An API error is served for the following request:

Request:

curl 'https://servicesqa.arcgis.com/T5cZDlfUaBpDnk6P/arcgis/rest/admin/services/1609859260652/FeatureServer?f=json' \
  -H 'authority: servicesqa.arcgis.com' \
  -H 'pragma: no-cache' \
  -H 'cache-control: no-cache' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' \
  -H 'content-type: application/x-www-form-urlencoded' \
  -H 'accept: */*' \
  -H 'origin: https://test-1609860527645-qa-pre-a-hub.hubqa.arcgis.com:4200' \
  -H 'sec-fetch-site: same-site' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-dest: empty' \
  -H 'referer: https://test-1609860527645-qa-pre-a-hub.hubqa.arcgis.com:4200/' \
  -H 'accept-language: en-US,en;q=0.9' \
  --data-raw 'f=json&token=uCdJ_aCIuflwIO-2pWKOYp_hPVveJGocCJMOqnR6Hm8m9IdEuYS7m4VMO9wcyUP0hxV6ni16-ApRCVwoXVuy6PVO7ldmc8F9ywWJ1SAq2YRq8M_pjLtLM5QghH1rGnFkM4F6zN0Dxcu4gQrtgSEK0BPFJ2LS9BBXYyXgH-_NUxLJp2ILAFQypHGz1XTGJSM0Bc1Qh4Pp-VyvktatlLAX5ob0ztVYo4Yv3WIiEuwyLdk.' \
  --compressed

Response:

{"error":{"code":403,"message":"User does not have permissions to access this service","details":["User does not have permissions to access this service"]}}

This appears related to this line in getFeatureServiceProperties path on the URL.

Removing /admin from the URL results in a success response from the API.

Request:

curl 'https://servicesqa.arcgis.com/T5cZDlfUaBpDnk6P/arcgis/rest/services/1609859260652/FeatureServer?f=json' \
  -H 'authority: servicesqa.arcgis.com' \
  -H 'pragma: no-cache' \
  -H 'cache-control: no-cache' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' \
  -H 'content-type: application/x-www-form-urlencoded' \
  -H 'accept: */*' \
  -H 'origin: https://test-1609860527645-qa-pre-a-hub.hubqa.arcgis.com:4200' \
  -H 'sec-fetch-site: same-site' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-dest: empty' \
  -H 'referer: https://test-1609860527645-qa-pre-a-hub.hubqa.arcgis.com:4200/' \
  -H 'accept-language: en-US,en;q=0.9' \
  --data-raw 'f=json&token=uCdJ_aCIuflwIO-2pWKOYp_hPVveJGocCJMOqnR6Hm8m9IdEuYS7m4VMO9wcyUP0hxV6ni16-ApRCVwoXVuy6PVO7ldmc8F9ywWJ1SAq2YRq8M_pjLtLM5QghH1rGnFkM4F6zN0Dxcu4gQrtgSEK0BPFJ2LS9BBXYyXgH-_NUxLJp2ILAFQypHGz1XTGJSM0Bc1Qh4Pp-VyvktatlLAX5ob0ztVYo4Yv3WIiEuwyLdk.' \
  --compressed

Response:

{"currentVersion":10.81,"serviceItemId":"949534d4b5644fdcab609e5b5a4ed507","serviceDescription":"","hasVersionedData":false,"supportsDisconnectedEditing":false,"hasStaticData":false,"hasSharedDomains":false,"maxRecordCount":2000,"supportedQueryFormats":"JSON","supportsVCSProjection":false,"capabilities":"Create,Delete,Query,Update,Editing,Sync","description":"","copyrightText":"","spatialReference":{"wkid":102100,"latestWkid":3857},"initialExtent":{"xmin":-14356986.047099045,"ymin":3328129.7896938594,"xmax":-6843031.7380439974,"ymax":5871843.5552304741,"spatialReference":{"wkid":102100,"latestWkid":3857}},"fullExtent":{"xmin":-14356986.047099045,"ymin":3328129.7896938594,"xmax":-6843031.7380439974,"ymax":5871843.5552304741,"spatialReference":{"wkid":102100,"latestWkid":3857}},"allowGeometryUpdates":true,"units":"esriMeters","supportsAppend":true,"supportsSharedDomains":true,"supportsWebHooks":true,"layerOverridesEnabled":true,"size":16384,"syncEnabled":true,"syncCapabilities":{"supportsAsync":true,"supportsRegisteringExistingData":true,"supportsSyncDirectionControl":true,"supportsPerLayerSync":true,"supportsPerReplicaSync":true,"supportsSyncModelNone":true,"supportsRollbackOnFailure":true,"supportsAttachmentsSyncDirection":true,"supportsBiDirectionalSyncForServer":true},"supportsApplyEditsWithGlobalIds":true,"supportsReturnDeleteResults":true,"supportsLayerOverrides ":true,"supportsTilesAndBasicQueriesMode ":true,"editorTrackingInfo":{"enableEditorTracking":true,"enableOwnershipAccessControl":false,"allowOthersToQuery":true,"allowOthersToUpdate":true,"allowOthersToDelete":false,"allowAnonymousToQuery":true,"allowAnonymousToUpdate":true,"allowAnonymousToDelete":true},"xssPreventionInfo":{"xssPreventionEnabled":true,"xssPreventionRule":"InputOnly","xssInputRule":"rejectInvalid"},"layers":[{"id":0,"name":"Point layer","parentLayerId":-1,"defaultVisibility":true,"subLayerIds":null,"minScale":0,"maxScale":0,"geometryType":"esriGeometryPoint"}],"tables":[]}
chris-fox commented 3 years ago

We do need require admin access to create the template for hosted feature layer views (which are the same item type). So I think we need to figure out what we want to happen for a user, because it is a weird user experience if we work find with Hosted Feature Services outside the org but not Hosted Feature Service Views (which are very commonly used.)