When querying the useraccount of a user with permission to resource user, I always get "permission denied".

Example:

http://example.com/user.json?uid=4

or

http://example.com/user.json?name=timlie

gives "permission denied".

When giving this user the "administer users" permission I get the correct json string.
Is this by design because I would think a user can query its own user account...

Thanks!

Comments

Media Crumb’s picture

Media Crumb CreditAttribution: Media Crumb commented

Same issue. The module status that everything works based off permissions, but this is hardly the case in real world practice. I feel like I spend most of my time trying to hack the module instead of it just "working" as was the intention of RESTws in the first place. For instance:

I have all profile set to viewable by anonymous within permissions. However in RESTws I get forbidden for users of my app when i try to hit the resource. I assume this is because anonymous are not allow CRUD on profiles. While that makes sense, it doesnt solve these types of everyday scenarios where areas are viewable but not editable. On top of that it isn't consistent in any way. Content Types work fine for anonymous users, but this isnt the case for profiles. I'm starting to wonder if this should even be used on a production app.

dalin’s picture

dalin
he/him
Primary language English
Location 🇲🇽, 🇨🇦, 🌍
CreditAttribution: dalin at Four Kitchens for American Civil Liberties Union commented
Related issues: +#2169363: Access denied when requesting a list of nodes with node/entity-access modules enabled

Possibly a dupe of #2169363