-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using an API Token restricted only to the website's domain, causes a "Forbidden" error in the plugin #255
Comments
We currently have the samen problem. In release https://github.com/cloudflare/Cloudflare-WordPress/releases/tag/v3.4.0 it says the plug-in now supports API Tokens, but it's not working as intended with tokens that are restricted to the specific domain. |
Upon further investigation, I think that the problem has it's source in the shared The request that fail is which is triggered by this function that tries to fetch all the zones in the connected account: I tried to do the request manually with the restricted token and the response is: {
"success":false,
"errors":[
{
"code":0,
"message":"Actor 'com.cloudflare.api.token...' requires permission 'com.cloudflare.api.account.zone.list' to list zones"
}
],
"messages":[],
"result":null
} So if we set an API token to only access one zone, it will not have the ability to get the list of available zones. I'm not been able to grant that permission manually. I'll try to open an Issue on the |
I tried bringing this to the attention of Cloudflare support (we have an Enterprise contract). But explaining the error has been hard. We get a different person with every answer on the ticket and it feels like with every person you have to explain it again. Maybe one of the maintainers of this plug-in (@deuill or @manatarms) can take a look at this issue. |
Our For now the workaround is granting read access to the account in question. The fix in the WP plugin would be for us to filter the list by the WP domain name when we look for a zone to pick. |
Since there is quite some activity in this repository again: I would love to know if this is on any roadmap. It's tough to decide if we should invest in rolling our own plug-in that works with the domain restricted API Token, or just wait a little longer. |
Are there any plans on implementing this? If so, what is the timeline? Thanks! |
This issue was fixed as part of v3.7.0. Thanks for reporting the issue. |
4.11.0 cloudflare plugin, same problem with API token. Only works with global API key |
We have multiple sites under the same CF account and we would like to use API Tokens to authenticate the Wordpress plugin to prevent a breach in one website to potentially cause drama in other ones.
When we restrict the token to only the zone of the website, the plugin GUI stops working with a "Forbidden" error in the bottom red bar. This defies the benefit of using API Tokens because the API Token for one website can edit any zone in the Cloudflare account.
Steps to recreate:
The text was updated successfully, but these errors were encountered: