Unable to upload documentation file

[philippeluickx]

On nightly.
Add a new API backend.
Go to documentation tab. Select manage. Select a sample json file to upload.
Unable to upload documentation for an API I own:

File creation failed! n {error: 403, reason: "Access denied", details: undefined, message: "Access denied [403]", errorType: "Meteor.Error"}

[philippeluickx]

Also unable to upload logo

File creation failed! n {error: 403, reason: "Access denied", details: undefined, message: "Access denied [403]", errorType: "Meteor.Error"}

[bajiat]

@marla-singer Can you take a look at this?

[marla-singer]

@bajiat It's dublicate this issue #1570. I researched and detected that only users, who has a role 'admin' or 'manager', can upload a file. User doesn't have ane role on default. It can be solved in two ways:

1. Administrator can share role 'manager' to user
2. Or someone fixes it on code - if user add an api, will give him 'manager' role

[bajiat]

@marla-singer It is true that user does not have any role by default. But when they add an API, they become a manager automatically - but only for that particular API. This should already work, unless there is regression.
@philippeluickx added an API, thus becoming a 'manager' for that API. The same thing in #1570, @saralavanip started by adding an API.

[marla-singer]

@bajiat It looks like users don't become a manager automatically.

[bajiat]

@brylie Can you check this - do we have a regression and user does not become a manager if they add an API? Or is it related to adding Swagger files only?

[philippeluickx]

@bajiat It is also for uploading the logo, so I would assume that @marla-singer is correct in her assumption.

[brylie]

@bajiat, @marla-singer is correct that only users with Manager or Admin role can upload API Documentation files.

We can add a small fix for this issue, so that when they create an API they are assigned the 'manager' role.

// in apis/client/add/autoform.js
onSuccess (formType, apiId) {
      ...

      // Get current user ID
      const userId = Meteor.userId();

      // Give user manager role
      Roles.addUsersToRoles(userId, 'manager');
    }

We will also need an Allow rule for the Roles collection

// in /users/collection/roles_permissions.js
Meteor.roles.allow({
  insert () {
    // return true is insecure
    // we need to consider whether it is dangerous for users to generally invent roles.
    return true;
  },
});

[brylie]

As a more future-proof step, we could write a server-side method to run in autoform onSuccess, using the Validated Methods package. In general, we should be porting our allow/deny rules into Validated Methods.

[brylie]

This is a kind of tricky situation. On one hand, FileCollection package relies on collection allow/deny rules, so it may not be easy to create a ValidatedMethod for the FileCollection insert.

The alternative would be to create a ValidatedMethod where we add the user to the 'managers' role.

What other options do you see @marla-singer?

[brylie]

I created a quick PR to resolve this issue.

Instead of using the allow/deny approach for the Roles collection, I simply add the 'manager' role on startup. Then, when users create an API, they are given the 'manager' role.

[marla-singer]

I created a quick PR to resolve this issue.
Instead of using the allow/deny approach for the Roles collection, I simply add the 'manager' role on startup. Then, when users create an API, they are given the 'manager' role.

I think it's better solution at the moment

[brylie]

@marla-singer thanks. Will you please review the PR #1660?

[marla-singer]

@brylie Yes. I'll also test if these fixes the problem with uploading a logo