knadh / listmonk

High performance, self-hosted, newsletter and mailing list manager with a modern dashboard. Single binary app.
https://listmonk.app
GNU Affero General Public License v3.0
15.08k stars 1.38k forks source link

Multiple API Permission Issues in 4.0 #2111

Closed mikeckennedy closed 2 days ago

mikeckennedy commented 2 days ago

This may not be a problem. Sorry for the false alarm. I missed adding the credentials AS AN API USER in the instructions. I had a user where the link pointed and used those values, but it was a regular user, not an API user.

Version:

Description of the bug and steps to reproduce: I make the Python Listmonk library. I've been using it on our sites for awhile. When upgrading to 4.0 we started getting weird permission issues.

  1. Calling simple functions like health failed with the old API auth (basic encoded header I think it was). Moving to passing the equivalent of -u "username:password' in curl as in the docs, this fails if you remove the username password from the config.toml! There is a huge banner warning that we should do this (which is good) but when doing so, the API starts returning 403 permission errors when it otherwise returns 200 OK if I leave the username/password in the config file and tolerate the warnings.
  2. Even if I leave the user/pw in the config, the endpoint /api/lists/NUMBER is returning 400 bad request with the error text suggesting the status code should be 403: {"message":"Permission denied: list"}. Though of course, it should return 200 OK still. This updated method does pass the username/password just like the other endpoints which do succeed.

Please advise. :) I'd love to update the library ASAP.

knadh commented 2 days ago

This may not be a problem. Sorry for the false alarm. I missed adding the credentials AS AN API USER in the instructions. I had a user where the link pointed and used those values, but it was a regular user, not an API user.

Shall I close the issue? Creating an API user with the right role/permissions worked, right?

mikeckennedy commented 2 days ago

Yes, @knadh Let's close it. I got the permissions working now. Though I think there is still a bug in the API but it doesn't have to do with permissions so I'll circle back with a second issue if it's confirmed. Thank you!