syncano

Syncano "403 You do not have permission to perform this action" while querying DataObject

I'm trying to query DataObjects in a class. I'm using the "Try It" form at the bottom of the Data Object - List documentation, but I get a 403 "You do not have permission to perform this action" response.

I'm providing the API Key, Instance Name, and I've tried with a simple query and with no query.

I've checked the "other" permissions on the Class, and it's set to "read". So is the "other" permissions on the only DataObject in the Class.

I tried it via Javascript to include a userKey like this:

var Syncano = require("syncano")
var conn = Syncano({ apiKey: config.apiKey })
var DataObject = conn.DataObject

app.use("/:un", function(inReq, inResp, inNext)
{
    var list =
    {
        instanceName: config.instance,
        userKey: inResp.locals.userKey,
        className: "member",
    }
    var query =
    {
        path: inReq.params.un
    }

    DataObject.please()
        .list(list)
        .filter(query)
        .then(function(inResult)
    {
        sLogger.info("Result: " + JSON.stringify(inResult))
        inResp.render("user")
    })
    .catch(function(inError)
    {
        sLogger.error("Failed to get user: ", inError)
    })
})

But I still get 403 "You do not have permission to perform this action".

Solution:

The solution (thanks to @mariusz-wiśniewski) is to pass the apiKey and userKey to the Syncano() constructor:

var Syncano = require("syncano")

app.use("/:un", function(inReq, inResp, inNext)
{
    var conn = Syncano({ apiKey: config.apiKey, userKey: inResp.locals.userKey })
    var DataObject = conn.DataObject
    var list =
    {
        instanceName: config.instance,
        className: "member",
    }
    var query =
    {
        path: inReq.params.un
    }

    DataObject.please()
        .list(list)
        .filter(query)
        .then(function(inResult)
    {
        sLogger.info("Result: " + JSON.stringify(inResult))
        inResp.render("user")
    })
    .catch(function(inError)
    {
        sLogger.error("Failed to get user: ", inError)
    })
})
Solution

  • As a general rule, using an API Keys to download objects, always requires to combine it with a User Key (and unfortunately it's not possible to send User Key using Try it function).

    Only exception is when you use API Key with Ignore ACL or Allow anonymous usage. (see: https://www.evernote.com/l/AZbAfuRwRpJBdovrEpr6N3nUaygUvpHmsAw).

    I would avoid public sharing key with ignore acl, but the one with allow anonymous usage you can share without any security concerns.

    (based on http://docs.syncano.io/docs/authentication)