search

signalpoint / angular-drupal

An Angular JS module for Drupal.
GNU General Public License v2.0
116 stars 33 forks source link

403 Forbidden on saving a user (PATCH) #31

Closed e2o closed 8 years ago

e2o commented 8 years ago

Hello again,

When trying to edit any field on a user, i get a 403 forbidden on the PATCH to update that user, with the detailed error message:

{"error":"Access denied on updating field 'name'."}

Strange thing is, i'm not even updating/changing that field's value.

The code sample on which I get this error is the following:

var user = drupal.currentUser();
    user.entity.field_hobbies[0].value = "Programming, cooking, sports,...";
    user.save().then(function(){
        console.log("user saved successfully");
    });

My permissions in D8 are set up like this: image

And my REST settings: image

Am I missing something here? I have no idea why i get the error on the 'name' field, even when I try to update the user without even changing any fields.

signalpoint commented 8 years ago

@EnzoEghermanne this is most likely related to this issue: https://www.drupal.org/node/2631774 - Although that issue is for updating comments, I think it's essentially the same problem in that Drupal thinks we're trying to update a protected value, and is rejecting it with an access denied.

In the mean time, you may be able to preprocess the request and remove the user name from the data that is being PATCHed: http://jdrupal.easystreet3.com/8/api/API.js.html

e2o commented 8 years ago

@signalpoint It seems like it is indeed related to that issue.

Could you give me a small example on how and where I would implement the _hook_rest_preprocess function? I can't figure out what to do with it...

kentr commented 8 years ago

@EnzoEghermanne As a quick & dirty test, does removing the name property allow the entity to save? Something like this, with delete:

var user = drupal.currentUser();
    user.entity.field_hobbies[0].value = "Programming, cooking, sports,...";
    // Delete name b/c of https://www.drupal.org/node/2631774
    // This may require a cloned object to prevent altering the original entity.
    delete user.entity.name;
    user.save().then(function(){
        console.log("user saved successfully");
    });
e2o commented 8 years ago

@kentr I'm not at the office at the moment. I'll try it out first thing in the morning and keep u guys posted.

Thanks for the suggestion.

e2o commented 8 years ago

@kentr You were right, it was because the request tried to PATCH the disallowed fields name, created, changed and roles, even though they were unaltered. So this is what I did:

var user = drupal.currentUser();
user.entity.field_hobbies[0].value = "Programming, cooking, sports,...";
delete user.entity.name;
delete user.entity.created;
delete user.entity.changed;
delete user.entity.roles;
user.save().then(function(){
    console.log("user saved successfully");
});

Which resulted in: image

Thanks for the help!

kentr commented 8 years ago

Glad to know it worked.

As I thought about it this morning, I wondered if granting Drupal's Change own username permission would allow the name field to be in the PATCH (at admin/people/permissions).

e2o commented 8 years ago

I'll try it out next week, but if I recall correctly that was something I already tried out. Will keep u posted.

EDIT: Tested out the permissions as proposed, the 403 Patch forbidden on field name appeared again. So I guess just deleting these entities before saving is the only option for now.