You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have multiple sites under the same CF account and we would like to use API Tokens to authenticate the Wordpress plugin to prevent a breach in one website to potentially cause drama in other ones.
When we restrict the token to only the zone of the website, the plugin GUI stops working with a "Forbidden" error in the bottom red bar. This defies the benefit of using API Tokens because the API Token for one website can edit any zone in the Cloudflare account.
Steps to recreate:
Create a new API Token
in the "Zone Resources" settings select "Include" - "Specific Zone" - "the domain of your website"
Use the token to authenticate the plugin
When you try to login or edit something in the plugin it will show a "Forbidden" error
If you remove the setting at (2) the plugin is able to login successfully
Upon further investigation, the request that fails is triggered by this function that tries to fetch all the zones in the connected account:
I tried to do the request manually with the restricted token and the response is:
{
"success":false,
"errors":[
{
"code":0,
"message":"Actor 'com.cloudflare.api.token...' requires permission 'com.cloudflare.api.account.zone.list' to list zones"
}
],
"messages":[],
"result":null
}
So if we set an API token to only access one zone, it will not have the ability to get the list of available zones. I'm not been able to grant that permission manually.
Can the error be catched and the package will provide a way to enter the zoneID manually?
We have multiple sites under the same CF account and we would like to use API Tokens to authenticate the Wordpress plugin to prevent a breach in one website to potentially cause drama in other ones.
When we restrict the token to only the zone of the website, the plugin GUI stops working with a "Forbidden" error in the bottom red bar. This defies the benefit of using API Tokens because the API Token for one website can edit any zone in the Cloudflare account.
Steps to recreate:
Upon further investigation, the request that fails is triggered by this function that tries to fetch all the zones in the connected account:
cloudflare-plugin-frontend/src/actions/zones.js
Line 66 in 5fa743f
I tried to do the request manually with the restricted token and the response is:
So if we set an API token to only access one zone, it will not have the ability to get the list of available zones. I'm not been able to grant that permission manually.
Can the error be catched and the package will provide a way to enter the zoneID manually?
This issue has been previously open in the wordpress-plugin repository:
cloudflare/Cloudflare-WordPress#255
The text was updated successfully, but these errors were encountered: