search

esi / esi-issues

Issue tracking and feature requests for ESI
https://esi.evetech.net/
209 stars 23 forks source link

Inconsistent 403 for New Nav Structures #1081

Open galister opened 5 years ago

galister commented 5 years ago

Bug

There is a particular structure that shows up on the owner corporation's structure list, but then 403s when trying to get the name of the structure via universe/structures using the same token.

I'm not seeing this issue on the older structure types.

Steps to reproduce:

  1. I call /v3/corporations/{corporation_id}/structures/ for my corporation.
    • In the response, included is a Pharolux Cyno Beacon with ID 1029161601740
  2. I call /v2/universe/structures/{structure_id}/ for the structure using the same token
    • Response is 403 Forbidden

Request

GET https://esi.evetech.net/v2/universe/structures/1029161601740?token=secret

Notes:

  • The token belongs to a full director of the corp that owns the structure
  • The corporation's entire alliance is allowed access via ACL
  • The token has both esi-universe.read_structures.v1 and esi-corporations.read_structures.v1

Response

403 Forbidden

Date: Thu, 13 Dec 2018 19:11:51 GMT
Connection: keep-alive
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type,Authorization,If-None-Match,X-User-Agent
Access-Control-Allow-Methods: GET,HEAD,OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Type,Warning,ETag,X-Pages,X-ESI-Error-Limit-Remain,X-ESI-Error-Limit-Reset
Access-Control-Max-Age: 600
Strict-Transport-Security: max-age=31536000
X-Esi-Error-Limit-Remain: 99
X-Esi-Error-Limit-Reset: 9
X-Esi-Request-Id: 620ada7c-6d18-484a-9d53-f46cceb87bc1

[no body]

Expected

A 200 response with the data structure described here: https://esi.evetech.net/ui/#/Universe/get_universe_structures_structure_id

Checklist

Check all boxes that apply to this issue:

CarbonAlabel commented 5 years ago

Pretty sure this is due to the endpoint checking if the requesting character is allowed to dock in the structure, and the profile used by the structure not having docking permissions configured.

ghost commented 5 years ago

Carbon is correct. I've occasionally chatted with other developers about the possibility of having some kind of official way of advertising API visibility, but for the moment docking rights are a surrogate for "allow people to see information about this structure".

What is odd is that you can query the structure from the corporation route but then can't query that structure details with the same character. Usually structures have a default "allow corporation" ACL applied that implicitly allows docking. If you've explicitly removed that default ACL then you might want to add docking permissions to the one that is currently applied to the beacon.

I'm going to leave this ticket open to track a good example of why using docking to implicitly flag access is not good, but to be totally open about the situation finding a better way to handle this is not at the top of anyone's list and would require buy-in from a gameplay team to implement.

jowrjowr commented 5 years ago

this is likely a reflection of the earlier bug during sisi testing where if you didn't have docking access, you couldn't see the navigation structure on the overview.

lots of assumptions have "docking" as its center of gravity.

galister commented 5 years ago

good to know, thanks.

ghost commented 5 years ago

I'd like to leave this issue open to track this deficiency and potentially collect related issues under it.

disc commented 5 years ago

Hello, I have a simular issue related to universe structures API. I've got three cases: 1) Response code is 200 for non-exists / destroyed ansiblex bridge: https://esi.evetech.net/latest/universe/structures/1029306641117/?datasource=tranquility returns 200 with 

{
  "name": "25S-6P » Q-U96U - Starbridge Omega",
  ...
  "solar_system_id": 30001258,
  "type_id": 35841
}

but there is no that bridge in game.

2) Response code is 403 for the jump bridge that I can use and see in Structure browser: https://esi.evetech.net/latest/universe/structures/1029224531639/?datasource=tranquility return 403 Forbidden, but I see this bridge in-game (<url=showinfo:35841//1029224531639>XWY-YM » DTX8-M - TEST Connection</url> in-game link).

3) Response code is 403 for non-exists structure when expects 404. https://esi.evetech.net/latest/universe/structures/2229224531222/?datasource=tranquility returns 403 for non-exists structure ID 2229224531222

CarbonAlabel commented 5 years ago

@disc Problems like your case 1 have been mentioned before, with the structure being unanchored instead of destroyed suggested as a possible trigger. A separate issue should be opened about that. Case 2 is most likely a manifestation of this issue, and case 3 is behaviour as designed, see https://github.com/esi/esi-issues/issues/1000.

disc commented 5 years ago

@disc Problems like your case 1 have been mentioned before, with the structure being unanchored instead of destroyed suggested as a possible trigger. A separate issue should be opened about that. Case 2 is most likely a manifestation of this issue, and case 3 is behaviour as designed, see #1000.

Created an issue for case 1 #1129. Got you with case 3 as well, but I think need to remove 404 status code from this endpoint documentation because it could confuse.

What about case 2? It will be investigated and possibly solved?

aebe commented 4 years ago

Commenting to note another reason this is annoying: it makes it impossible to search for Ansiblex jump gates which you are allowed to use via the authed search endpoint, if you are not allowed to dock (deposit fuel) in them. We have found this to be a common situation with friendly alliances.