2

I'm trying to query DataObjects in a class. I'm using the "Try It" form at the bottom of the Data Object - List documentation, but I get a 403 "You do not have permission to perform this action" response.

I'm providing the API Key, Instance Name, and I've tried with a simple query and with no query.

I've checked the "other" permissions on the Class, and it's set to "read". So is the "other" permissions on the only DataObject in the Class.

I tried it via Javascript to include a userKey like this:

var Syncano = require("syncano")
var conn = Syncano({ apiKey: config.apiKey })
var DataObject = conn.DataObject

app.use("/:un", function(inReq, inResp, inNext)
{
    var list =
    {
        instanceName: config.instance,
        userKey: inResp.locals.userKey,
        className: "member",
    }
    var query =
    {
        path: inReq.params.un
    }

    DataObject.please()
        .list(list)
        .filter(query)
        .then(function(inResult)
    {
        sLogger.info("Result: " + JSON.stringify(inResult))
        inResp.render("user")
    })
    .catch(function(inError)
    {
        sLogger.error("Failed to get user: ", inError)
    })
})

But I still get 403 "You do not have permission to perform this action".

Solution:

The solution (thanks to @mariusz-wiśniewski) is to pass the apiKey and userKey to the Syncano() constructor:

var Syncano = require("syncano")

app.use("/:un", function(inReq, inResp, inNext)
{
    var conn = Syncano({ apiKey: config.apiKey, userKey: inResp.locals.userKey })
    var DataObject = conn.DataObject
    var list =
    {
        instanceName: config.instance,
        className: "member",
    }
    var query =
    {
        path: inReq.params.un
    }

    DataObject.please()
        .list(list)
        .filter(query)
        .then(function(inResult)
    {
        sLogger.info("Result: " + JSON.stringify(inResult))
        inResp.render("user")
    })
    .catch(function(inError)
    {
        sLogger.error("Failed to get user: ", inError)
    })
})
Rick
  • 3,298
  • 3
  • 29
  • 47

1 Answers1

3

As a general rule, using an API Keys to download objects, always requires to combine it with a User Key (and unfortunately it's not possible to send User Key using Try it function).

Only exception is when you use API Key with Ignore ACL or Allow anonymous usage. (see: https://www.evernote.com/l/AZbAfuRwRpJBdovrEpr6N3nUaygUvpHmsAw).

I would avoid public sharing key with ignore acl, but the one with allow anonymous usage you can share without any security concerns.

(based on http://docs.syncano.io/docs/authentication)

Mariusz Wiśniewski
  • 321
  • 2
  • 9
  • I updated the question to show the code I used to try to include the userKey, but I still get the permission error. – Rick Mar 30 '16 at 19:01
  • 1
    @Rick try passing user key in `conn` object, i.e. pass it when in Syncano constructor, next to API Key, e.g. `var conn = Syncano({ apiKey: config.apiKey, userKey: inResp.locals.userKey })` – Mariusz Wiśniewski Mar 30 '16 at 19:47
  • Thanks, that seems to have worked. Pity the "Try It" doesn't support this, and that the DataObject.list docs don't make this more clear. Also, the docs mistakenly show "query()" rather than "filter()". – Rick Mar 30 '16 at 20:02
  • 1
    @Rick I updated "Try" it for Data Objects to also accept user keys, hope it helps. Thanks for the feedback! – Mariusz Wiśniewski Mar 30 '16 at 20:44