I have tried to create a node on Drupal 8 via rest services. I have attached file for the request. On my site administrator and authenticated user can post a node.
Now problem here is I posted the node with credentials of userID "1" but in request json I passed "uid":"target_id":"7" and it crated a node and author of that node is useID "7" but it should be userID "1" . Please refer image give below.
I think it is not expected because this way any authenticated user can create post for any other user.
I think author information should be fetched from "Authorization" header. In addition to this if I don't specify "uid" in request body than it takes it as anonymous( not verified) but it should derive author information from "authorization". I need community review for this.
Comment | File | Size | Author |
---|
Comments
Comment #1
larowlanFor ui it checks if user has permission administer nodes, if so, user can change author. User 1 has every permission. Does it work the other way, ie posting node as user 7 with target id 1?
Comment #2
vivekvpandya CreditAttribution: vivekvpandya commentedNO I actually give authenticated user permission to create "tip" (i.e a custom bundle type on my drupal site) and permission to "Access POST on Tip via REST " to authenticated user and I tried to create node with uid = "1" or uid = "uid for user it self " it gives me "error":"Access denied on creating field path."
Comment #3
vivekvpandya CreditAttribution: vivekvpandya commentedWith UI I am able to create new node with out administrator account as I have given permission for same to authenticated user but with REST it is not possible i.e though I have given POST access for a node I am not able to create node with authenticated user's credential.
Comment #4
lathanI have also got into this situation and can not get a user to post any longer. After granting the approved user access to REST permissions and perms to creat/view/edit it seeems to have gotten stuckkkkk. No matter what i do now in the permissions the only users that can now use services to create content are administrators.
Comment #5
Berdir#2098355: Missing default access for all node fields recently landed, which implemented base field access control for node fields. I suspect that is related.
Comment #6
lathanI found the issue the permission that needs to be giving to the role that is using the service needs to have the path permission "Create and edit URL aliases". Then everything works again.
Comment #7
R.Muilwijk CreditAttribution: R.Muilwijk commentedIs this something the REST api should fix? Just a solution for author uid would not be suitable. When doing form alters it is possible to deny access to a piece of form using #access. This is not handled by sending json data. A proper solution would be node validations / field validations whether certain values are permitted.
Comment #8
allella CreditAttribution: allella commentedThanks #6
In Drupal 8, I was getting
while trying to do a basic hal+json POST over the REST API using an authenticated user.
I wasn't including a URL or Path Alias, just a Title as shown below, but that still returned a "403 Forbidden" response.
Enabling "Create and edit URL aliases" under /admin/people/permissions made it work.
Basic hal+json POST Example
Note: you'll need to change out the href to your domain and "your-node-type" should be whatever content type (page, article, or your custom type)
Comment #9
Wim Leers#2098355: Missing default access for all node fields fixed this. I worked on manually reproducing this, and got the expected response:
Comment #10
Wim Leers