Using an API Token restricted only to the website's domain, causes a "Forbidden" error in the plugin

[brandomeniconi]

We have multiple sites under the same CF account and we would like to use API Tokens to authenticate the Wordpress plugin to prevent a breach in one website to potentially cause drama in other ones.

When we restrict the token to only the zone of the website, the plugin GUI stops working with a "Forbidden" error in the bottom red bar. This defies the benefit of using API Tokens because the API Token for one website can edit any zone in the Cloudflare account.

Steps to recreate:

1. Create a new API Token
2. in the "Zone Resources" settings select "Include" - "Specific Zone" - "the domain of your website"
3. Use the token to authenticate the plugin
4. When you try to login or edit something in the plugin it will show a "Forbidden" error
5. If you remove the setting at (2) the plugin is able to login successfully

Upon further investigation, the request that fails is triggered by this function that tries to fetch all the zones in the connected account:

cloudflare-plugin-frontend/src/actions/zones.js

Line 66 in 5fa743f

export function asyncFetchZones() {

I tried to do the request manually with the restricted token and the response is:

{
  "success":false,
  "errors":[
      {
       "code":0,
       "message":"Actor 'com.cloudflare.api.token...' requires permission 'com.cloudflare.api.account.zone.list' to list zones"
      }
  ],
  "messages":[],
  "result":null
}

So if we set an API token to only access one zone, it will not have the ability to get the list of available zones. I'm not been able to grant that permission manually.

Can the error be catched and the package will provide a way to enter the zoneID manually?

This issue has been previously open in the wordpress-plugin repository:
cloudflare/Cloudflare-WordPress#255

[manatarms]

This issue was fixed as part of v3.7.0. Thanks for reporting the issue.

[brandomeniconi]

Thanks, great!