User role label like "seller" or "buyer" doesn't reflect in response json object when we request jsonapi/node/{content type}/[uuid].

Members fund testing for the Drupal project. Drupal Association Learn more

Comments

navneet0693 created an issue. See original summary.

Wim Leers’s picture

Worse, if you follow the link to the Role config entity, you still can't see the ID nor the label. So you have no way of knowing it's the anonymous, authenticated, or whatever role!

Wim Leers’s picture

Title: User role lable isn't reflected in response at jsonapi/user/user/[uuid] » Role config entity ID + label are not exposed anywhere in JSON API output
e0ipso’s picture

Issue summary: View changes
Grimreaper’s picture

Hello,

I can't reproduce the bug. Is there some setup to have before?

I am testing using an admin user and as you can see on the attached screenshots, if I use the related link on the roles relationship or if I go to the user role listing endpoint I can see the role label, uuid, id.

navneet0693’s picture

@Grimreaper Yes. You can surely access by user role hitting multiple jsonapi endpoints, but an anonymous user cannot. You will have to give permissions for anonymous user to access the user profile data, after which they can access it.

Now I have an application which shows seller information in sidebar when a property for sale (node) is visited. Now, for allowing the frontend web app to read the role of user I will have to hit /jsonapi/user/user/{uuid} but initially it will return 403 until you give permission for anonymous to read user information.

Grimreaper’s picture

@navneet0693 Thanks for the reply.

Ok so it is the standard Drupal access system that blocks you and not the JSONAPI, as it used the Drupal entity access system (correct me if I am wrong).

On your application, if you need to show seller information in a sidebar, you have to give anonymous user the right permission to access this information.

I don't know how you structured your application, but I supposed something like a "property" content type with an entity reference field targeting users to reference the seller or the seller is the node's author (which is almost equal to an entity reference fields on users). So I think it is legit to allow anonymous user to access to view user account. Except for something you didn't mention in your previous comment that requires to prevent that.

navneet0693’s picture

Issue summary: View changes

@Grimreaper I understand it. We will try to change our implementation. Meanwhile will it be good if JSON API at least exposes the roles of an user when we request node/{content type}/{uuid}?

Grimreaper’s picture

Hello,

@navneet0693: I don't know, we can wait for a module maintainer to express its opinion on it.

e0ipso’s picture

Status: Active » Closed (works as designed)

You can surely access by user role hitting multiple jsonapi endpoints

That is not entirely correct. You should be able to use includes to do that. See: https://www.youtube.com/watch?v=NMnIgrdUga8&list=PLZOQ_ZMpYrZsyO-3IstImK...

Please reopen this issue if you cannot get the role information with that technique.