9 Replies Latest reply on Dec 4, 2014 2:20 PM by jmarleau

    REST API - You are not allowed to perform this request

    jmarleau

      Hi,

       

      Hope someone can help me find the security issue!

       

      I've create a script in an HTML Widget that load a document using get REST API.  Users are allowed to modify the content and save the result.  The save does a REST API post to the document that was originally loaded and save the content.  I've tested successfully with my user but once I have another user testing the REST API return 403 error - You are not allowed to perform this request. 

       

      Both users have manage access to the space with Full Control.

       

      If I try to go directly to the document, with either user, I am able to edit the document.

      GET

      "content" : {

            "type" : "text/html",

            "text" : "<body><!-- [DocumentBodyStart:4572ba6c-82ba-4284-a0ad-30699c43c7af] --><div class=\"jive-rendered-content\">

      <table class=\"Data\"><thead><tr><th style=\";\">Messages</th></tr></thead>

      <tbody>

      <tr><td style=\";\">I edited this message with my doc owner</td></tr>

      <tr><td style=\";\">I edited this message with my user</td></tr>

      <tr><td style=\";\">I want to edit with REST</td></tr>

      </tbody>

      </table></div><!-- [DocumentBodyEnd:4572ba6c-82ba-4284-a0ad-30699c43c7af] --></body>"

          },

       

        "self" : {

              "ref" : "https://localhost/api/core/v3/contents/1221721",

              "allowed" : [ "PUT", "GET", "DELETE" ]

            },

       

      Jive REST Rest API v3.8 → Document entity

      PUT https://localhost/api/core/v3/contents/1221721

      {"content":{"type":"text/html","text":

      "<table class=\"Data\"><thead><tr><th>Messages</th></tr></thead>

           <tbody>

      <tr><td>I edited this message with my doc owner</td></tr>

      <tr><td>I edited this message with my user</td></tr>

      <tr><td>I want to edit with REST</td></tr>

      <tr><td>I want to edit with REST without the doc owner (my Full control user)</td></tr>

      </tbody>

      </table>"},"subject":"Jive subject","type":"document"}

       

      Response:

      message:"You are not allowed to perform this request"

      status:403

       

      Jive hosted platform version 6

       

      Thank's for your help!

        • Re: REST API - You are not allowed to perform this request

          If you look at the details of the 403 message you will likely see:

          {

              "code": 4026,

              "message": "The request could not be validated as originating from within the SBS application"

          }

          This is a common error when the authentication token is not set correctly. The content in an HTML widget are actually encapsulated in an iframe, so this might be a side effect of Jive's cross site request forging protection.

           

          If you want something like this to work reliably, maybe a custom widget or app, might be a better solution.

            • Re: REST API - You are not allowed to perform this request
              jmarleau

              Hi Nils,

               

              Thank's for the response.  Here some extra though and question if you have some idea...

              1- All I get through REST is the message "You are not allowed to perform this request".  Where could I check and find the detail of the error?

              2- The application is actually under federated login so, it leverage the user logged in.  It's would not surprise me if it's a security issue but, I am trying to see what would be wrong.  I created 2 doc, one my user, one my test user, and both can POST to their own doc using the script, but they both cannot update the doc from the other user.  I actually tested successfully with and admin user, they can update both docs. 

              -I'm not sure why it works for your own docs and not for the docs that you didn't create but have edit access.  I can edit if I use jive directly.

              -I'm not sure how the authenticate token would be valid for your own docs, invalid for someone else docs and valid if you are admin.

              3- Widget or app, I have no idea how to overcome the federated login as our apps is under a different subdomain, (as recommended by Jive) and it represented a cross site request and ALL request become anonymous.

               

              Thank's

                • Re: REST API - You are not allowed to perform this request

                  In my mobile, so I can only answer 3 right now: The addon/apps framework provides alternatives to overcome the cross domain issues. Mainly the osapi.jive.corev3. Contents Js API for manipulating jive content, and the osapi.http.get/post/etc methods for cross domain API calls. Much more stable and safe than embedded Js in an html widget

                   

                  Sent from my mobile

                    • Re: REST API - You are not allowed to perform this request
                      jmarleau

                      Hi Nils,

                      If you have a chance to review 1 & 2 ...

                       

                      With regards to option 3, I would like to expand.  The goal of my app, was to browse recent content for the current user and display a summary base on specific criteria.  Before I started to build the solution in a HTML Widget, I tried to create the app using the app framework.  I'm having a hard time finding documentation and sample with version 6.0, most of the documentation is on version 7.0 and up and, to be honest, I would recommend, to highlight if the solution is for which version of Jive because I tried many things that were simply not available in 6.0. 


                      Developing the hello world worked like a charm using the sample but, not really useful :0).

                       

                        I see a lot of documentation on how to use the new node.js framework, but that's only available using version 7.0 and up. 

                       

                      Developing an app, is through the web dev console.

                        Developing Jive Apps for your own community - using the Dev Console app

                      I created a template and create an apps, I created a webserver using the recommended  https://www.nitrous.io/app but all my API queries, api/core/v3/contents?count=100&sort=latestActivityDesc&fields=subject,type are failing with 401 error.  Due the fact, the app is located under apps.servername.com and not www.servername.com.  I haven't found how to overcome this issue, as, what I found suggest to use a username/password and that's not possible using SSO.  Not sure that's what I would like to do neither.

                       

                        I might have misunderstood the osapi.jive api, I though it was a wrapper to the REST api, and didn't thought it was necessary to use if I know the REST api call and how to process than answer. 

                       

                      Short to say, I tried many option and I though the HTML widget was the safer solution, using the user credential by default.

                       

                      Do we have a sample of osapi.jive api that uses works under SSO?

                • Re: REST API - You are not allowed to perform this request
                  jmarleau

                  Humm! Apparently all REST API commands requires a "Full Access".  This is actually administrator of our jive instance and, I doubt we will grant that level of access to some user for editing using the tool I created.