Closed e2o closed 8 years ago
@EnzoEghermanne this is most likely related to this issue: https://www.drupal.org/node/2631774 - Although that issue is for updating comments, I think it's essentially the same problem in that Drupal thinks we're trying to update a protected value, and is rejecting it with an access denied.
In the mean time, you may be able to preprocess the request and remove the user name from the data that is being PATCHed: http://jdrupal.easystreet3.com/8/api/API.js.html
@signalpoint It seems like it is indeed related to that issue.
Could you give me a small example on how and where I would implement the _hook_rest_preprocess function? I can't figure out what to do with it...
@EnzoEghermanne As a quick & dirty test, does removing the name
property allow the entity to save? Something like this, with delete:
var user = drupal.currentUser();
user.entity.field_hobbies[0].value = "Programming, cooking, sports,...";
// Delete name b/c of https://www.drupal.org/node/2631774
// This may require a cloned object to prevent altering the original entity.
delete user.entity.name;
user.save().then(function(){
console.log("user saved successfully");
});
@kentr I'm not at the office at the moment. I'll try it out first thing in the morning and keep u guys posted.
Thanks for the suggestion.
@kentr You were right, it was because the request tried to PATCH the disallowed fields name, created, changed and roles, even though they were unaltered. So this is what I did:
var user = drupal.currentUser();
user.entity.field_hobbies[0].value = "Programming, cooking, sports,...";
delete user.entity.name;
delete user.entity.created;
delete user.entity.changed;
delete user.entity.roles;
user.save().then(function(){
console.log("user saved successfully");
});
Which resulted in:
Thanks for the help!
Glad to know it worked.
As I thought about it this morning, I wondered if granting Drupal's Change own username permission would allow the name
field to be in the PATCH (at admin/people/permissions
).
I'll try it out next week, but if I recall correctly that was something I already tried out. Will keep u posted.
EDIT: Tested out the permissions as proposed, the 403 Patch forbidden on field name appeared again. So I guess just deleting these entities before saving is the only option for now.
Hello again,
When trying to edit any field on a user, i get a 403 forbidden on the PATCH to update that user, with the detailed error message:
{"error":"Access denied on updating field 'name'."}
Strange thing is, i'm not even updating/changing that field's value.
The code sample on which I get this error is the following:
My permissions in D8 are set up like this:
And my REST settings:
Am I missing something here? I have no idea why i get the error on the 'name' field, even when I try to update the user without even changing any fields.