API token type read-only not works as expected 🐛 #14203
Labels
issue: enhancement
Issue suggesting an enhancement to an existing feature
source: core:strapi
Source is core/strapi package
Bug report
Required System information
v16.14.0
8.5.4
v4.3.6
postgres
MacOS
Describe the bug
Trying to create a plugin to extend a api route, get error 403 when using the API Token of type
read-only
. My route is a GET, like bellow:For this request works, need to use a token of the type
full-access
, but for our environment this is not a good option.Expected behavior
Use API Token of the type
read-only
when routes are just GET methods.Additional context
Looking at the source code, I found a function that checks the routes, and when the token is not of type find or findOne, (which in this case is a little wrong, since the route is of type GET) it is necessary that the route has the scope of type find. But the documentation doesn't explain any of this, how to solve this problem, without having to use a
full-access.
type token?The text was updated successfully, but these errors were encountered: