A logged in user can access all the table of the admin
Some user part of two teams of collaborator can’t reach the data
They receive a
403 : forbidden access on the request :
Please provide any relevant information about your setup.
Hello @Alix_Bouloc,
Thank you for your feedback.
Can you share more details about your issue on Forest Admin?
It seems that some users only experience the issue. Do they experience this issue on the production or on another environment? Do they belong to the same role?
Can you describe what they are doing before getting this error?
Do they have this error on other collections?
Some specific users have this error. They are all part of two different teams: “operation” and “integration manager”. They have the error on all the environments.
It is not correlated to their IP address, nor their cached data (they reproduce the issue while using the incognito mode).
They do nothing special, just click on the specified table and the table account. They have access to all the other tables.
While I’m investigating this, can you share with me in private message the email address of users having the issue, and another user from the same team not having it?
Thanks.
Is it also possible to share the response’s body? I would like to know if there is a specific error returned by the backend.
Thanks
Hello again @Alix_Bouloc,
I checked the code of forest-express in the version you are using, and it seems that there are some logs when a user gets rejected.
Do you have access to these logs in any environments on which the users experience the issue? Can you share the log with us?
When I inspect the code, the error body returned to the client part is only Forbidden Access.
On the server part, the corresponding log is :
“_source”: {
“log”: “GET /forest/users?fields%5Baccount%5D=id&fields%5Busers%5D=account%2Cemail%2Cid%2Cfirstname%2Clastname%2CverifiedHealthcareProfessionalStatus%2CmedokSub&page%5Bnumber%5D=1&page%5Bsize%5D=15&searchExtended=0&sort=-id&timezone=Europe%2FParis 403 48 - 129.093 ms\n”,
“stream”: “stdout”,
“docker”: {
“container_id”: “0ef789ef2eb82deca484bdf3ef629f4639bbb715e929baf388158da50ebc7a7e”
},
I’m not sure it will help ! ^^’
The application itself also logs some content in the console, do you have access to these logs?
I checked on my side with parameters from your project, to see if I could reproduce your issue, but I could not.
I’m still interested if you have any additional logs from your server. But I’m also interested to know if you have some custom code responding to the route /forest/users (that is something you can customize).
So, do you have some custom code in the file routes/users.js for this route? Here is the default value for this route.
If it’s the middleware permissionMiddlewareCreator.list() that throws the error, in theory the error should be logged.
// Get a list of Users
router.get('/users', permissionMiddlewareCreator.list(), (request, response, next) => {
// Learn what this route does here: https://docs.forestadmin.com/documentation/v/v6/reference-guide/routes/default-routes#get-a-list-of-records
next();
});Hi sorr, I think I might have made you lose your time. That 403 occured because of our client VPN. I found out that after making all the test with him instead of letting him do a todo list.
He had tried on his account with the VPN then without but he still had some cache that made it fails. He then put his VPN back on and tried with the incognito mode. Sorry again.
After all that digging, I found another problem while using the research function on the user table I have that error :
2|admin | [forest] 🌳🌳🌳 Unexpected error: function lower(uuid) does not exist
2|admin | SequelizeDatabaseError: function lower(uuid) does not exist
2|admin | at Query.formatError (/home/ubuntu/releases/20210305201057/forest-admin/node_modules/sequelize/lib/dialects/postgres/query.js:386:16)
2|admin | at Query.run (/home/ubuntu/releases/20210305201057/forest-admin/node_modules/sequelize/lib/dialects/postgres/query.js:87:18)
2|admin | at processTicksAndRejections (internal/process/task_queues.js:93:5)
2|admin | at async /home/ubuntu/releases/20210305201057/forest-admin/node_modules/sequelize/lib/sequelize.js:619:16
2|admin | at async PostgresQueryInterface.rawSelect (/home/ubuntu/releases/20210305201057/forest-admin/node_modules/sequelize/lib/dialects/abstract/query-interface.js:994:18)
2|admin | at async Function.aggregate (/home/ubuntu/releases/20210305201057/forest-admin/node_modules/sequelize/lib/model.js:1986:19)
2|admin | at async Function.count (/home/ubuntu/releases/20210305201057/forest-admin/node_modules/sequelize/lib/model.js:2037:12)
My table definition is
const User = sequelize.define(
'users',
{
id: {
type: DataTypes.UUID,
primaryKey: true,
defaultValue: Sequelize.literal('uuid_generate_v4()'),
allowNull: false,
},
email: {
type: DataTypes.STRING,
},
firstname: {
type: DataTypes.STRING,
defaultValue: '',
validate: {
is: /^[a-zA-Z\p{L}' -]*$/u,
},
// This is needed to set empty strings. (see https://community.forestadmin.com/t/cant-save-not-null-fields-with-empty-strings/1091/3.)
set(val) {
this.setDataValue('firstname', val || '');
},
},
},
{
tableName: 'users',
underscored: true,
timestamps: false,
schema: process.env.DATABASE_SCHEMA,
},
);
It is linked to two other tables :
User.associate = (models) => {
User.belongsTo(models.accounts);
User.hasMany(models.consents, {
foreignKey: 'created_by_user_id',
as: 'authoredConsent',
});
User.belongsToMany(models.patients, { through: models.consents });
User.belongsToMany(models.locations, { through: models.locationsUsers, foreignKey: 'user_id', otherKey: 'location_id' });
};
and it has a beforeUpdate rule that does not use the id.
I don’t know what I’m doing wrong
Hello, thanks for letting us know that you found a solution at your problem. I’m glad you found that your VPN was causing the issue.
Can you please create another post for your second problem, as it does not seem related to the first one? It’ll be easier for people to search if they encounter the same issue.
Thanks
Ok I’m on it ! I’ll do another post !