Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #10653 403 forbiden on
    Actions
    Infos
    #10653
    Fabrice Larribe (teyssieuman)
    2017-11-21 08:39
    2017-09-14 18:18
    10886
    Details
    403 forbiden on

    The API respond "403 Forbiden" on "api/tracker_reports"  requests, when the project is not public. (my user have the sufficient rights to access the project, and to visualize the report).

    Here is a python script that reproduce the problem :

    import requests

    import json

    from requests.packages.urllib3.exceptions import InsecureRequestWarning
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)


    ## Get a token
    # POST /api/tokens

    r = requests.post("https://_my_server_/api/tokens", data={'username':'_my_user_name_', 'password':'_my_password_'}, verify=False)


    j = json.loads(r.content.decode("utf-8") )


    r = requests.get("https://sds-0lyg.wks.era.sds.safran/api/tracker_reports/231",
                 params={
                     'X-Auth-Token':j['token'],
                     'X-Auth-UserId':j['user_id']
                     },
                 data={},
                 verify=False)

    data = json.loads(r.content.decode("utf-8") )

    print(data)

    When the project is public, the answer is :

    {u'label': u'SR', u'id': 231, u'resources': [{u'type': u'artifacts', u'uri': u'tracker_reports/231/artifacts'}], u'uri': u'tracker_reports/231'}

     

    But when the project is private :

    {u'error': {u'message': u'Forbidden', u'code': 403}}

    Used version : 0:1.0-9.11.99.147_1.el6  

    API
    development
    CentOS 6
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Declined
    Empty
    Attachments
    Artifact links
    Empty
    Empty
    References
    References list is empty
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-09-22 19:44

    Hello,

    I think I got why your code snippet does not work. You try to pass the token information as a GET parameters when they should be given as custom headers as specified in the documentation.

    The following code snippet should work with your example (only tested against Python 3, but if changes are needed for Python 2 they should be trivial):

    import requests

INSTANCE_URL = 'https://tuleap.example.com/api/'
USERNAME = 'username'
PASSWORD = 'I_REALLY_SHOULD_NOT_STORE_A_SECRET_IN_A_SOURCE_FILE'

token_request = requests.post(INSTANCE_URL + 'tokens', data={'username': USERNAME, 'password': PASSWORD})
token = token_request.json()

artifacts_request = requests.get(INSTANCE_URL + 'tracker_reports/231/artifacts', headers={'X-Auth-Token': token['token'], 'X-Auth-UserId': str(token['user_id'])})
print(artifacts_request.json())

     

    Tuleap does not allow you to pass the token information as a GET parameters as GET parameters are often logged by web servers/proxies/... and you generally do not want to have credentials in cleartext logfiles.

    User avatar
    Manuel Vacelet (vaceletm)2017-09-22 17:58

    What does the other, related routes returns for this project ?

    • /projects/:id/trackers => with the ID of the related project
    • /trackers/:id => with the ID of the related tracker
    • /trackers/:id/tracker_reports => with the ID of the related tracker
    User avatar
    Fabrice Larribe (teyssieuman)2017-09-18 15:58
    Hello,

    I am quite sure that my token is good because using it I can access to other API functions.

    The problem with the community python REST API client, is that I'm using python 2.6.6 (the one available with centos6) and the comptaibility of the plugin start from 2.7.

    What experiment can I perform to diagnose the 403 problem ?
    User avatar
    Yannis ROSSETTO (rossettoy)2017-09-16 15:09
    Hello,

    After having doing some tests, I can retrieve artifacts from my report via REST even if my project is private (tested with a project admin and a regular project member).

    Are you sure your token is well retrieved ?

    In addition, it exists a REST API client made in python by the community we contribute to you can use and/or enhance: https://github.com/djurodrljaca/tuleap-rest-api-client
    • Status changed from New to Waiting for information