Roles seem not to be working

Mattia · June 6, 2025, 2:26pm

I created a new User Account on Forest with team Operations and role USER
I modified Operations Collection permissions in order to disable create/update/delete for a certain table (a table that materialises a many-to-many relationship)
If I login with that User on Forest :

I can’t access production data → I get a forbidden error (although Operations can also normally access to production data)
I can still perform destructive operations on that table through this user on Forest

Feature(s) impacted

Roles management

Observed behavior

Roles management, configured on Forest Admin UI, does not seem to restrict my newly created user permissions.

Expected behavior

The new user should correctly see and operate on Production data, according to the collections permissions matrix I configured on Forest
The new user should not be able to perform create/update/delete on the table I mentioned, as configured in Forest Admin UI

Failure Logs

Forbidden Error 403

Context

Project name: Lift - Web App
Team name: Operations
Environment name: staging and Production
Database type: postgresql
Recent changes made on your end if any: none

And, if you are self-hosting your agent:

Agent technology: nodejs
Agent (forest package) name & version (from your .lock file): @forestadmin/agent: 1.55.1

dogan.ay · June 6, 2025, 2:42pm

Hello @Mattia,

I suspect that this issue is caused by some reverse proxy that could buffer SSE. As tackled by this troubleshooting section in our documentation.

From our side I can see that your agent is on version 1.64.1, which should notify you in the agent logs if it detects event buffering like so:

Unable to detect ServerSentEvents Heartbeat.
Forest Admin uses ServerSentEvents to ensure that permission cache is up to date.
It seems that your agent does not receive events from our server, this may due to buffering of events from your networking infrastructure (reverse proxy).

To ensure that this issue is caused by out of date permission cache on your agent, you can try to restart it and reenact the CRUD operation.

Best regards,

Mattia · June 13, 2025, 2:45pm

Thanks @dogan.ay for your reply !

It may look like it was a caching issue indeed, since I can now see production data.
Although, the permission I set are still not operational on the UI.

What am I expected to see on the UI if I disable :
- create
- update
- delete
CRUDS from a table ?
I did not see any SSE related logs on the backend side nor on the forest admin agent one.
Is there a way to enable verbose logging on Forest admin agent ?

Disable the SSE mechanism and fallback to old TTL cache by setting instantCacheRefresh: false in your agent init options.

what are the implications for disabling the SSE as the docs mention ? What’s the value for the TTL cache in that case ?
Further hints otherwise ?

My newly created user can still perform the operations I normally forbid from Forest UI on the specified database table.

Topic		Replies	Views
New Forest Admin users forbidden from accessing data Help me! dashboard	6	30	January 22, 2025
Access forbidden on user Help me!	19	1204	March 4, 2021
Admin user forbidden from all CRUD operations on Collections, no ability to set permissions in Roles Help me!	4	40	November 25, 2024
Error 403 while setting up new remote environment Help me!	3	169	December 19, 2023
403 on Production Environment for newly added users Help me!	3	116	February 22, 2024