Why is the API is returning inconsistent responses vs. home page visuals per user?
Sebastian_Hansen
Customer IT Monkey ✭
I'm calling GetServiceCatalog in the API V3.
https://support.cireson.com/Help/Api/GET-api-V3-ServiceCatalog-GetServiceCatalog_userId_isScoped
Consider the code example below (feel free to copy paste it in your console).
When running this as "me" with my user, it gives inconsistency: API: 0, _root: 64.
When running it as a "normal" user, it gives the same amount of forms every time: API: 50, _root: 50
What am I missing here? Why does the API not respect access permissions in the same way as the core Cireson endpoint?
https://support.cireson.com/Help/Api/GET-api-V3-ServiceCatalog-GetServiceCatalog_userId_isScoped
Consider the code example below (feel free to copy paste it in your console).
When running this as "me" with my user, it gives inconsistency: API: 0, _root: 64.
When running it as a "normal" user, it gives the same amount of forms every time: API: 50, _root: 50
What am I missing here? Why does the API not respect access permissions in the same way as the core Cireson endpoint?
/* * Fetching from Root * ------------------ * Call fetch on the same endpoint the Cireson portal uses * Send credentials only. * * @input credentials = "same-origin" * */ fetch( "/ServiceCatalog/GetServiceCatalog/", {credentials:"same-origin"} ).then( response => response.json() ).then( response => console.log( "_root", response.Data.length ) ); // RESULT => 64 for my user, 50 for "normal" user. /* * Fetching from API v3 * -------------------- * Call fetch on the API endpoint * Send credentials, user data and scope data. * * @input credentials = "same-origin" * @input isScoped = true * @input userId = session.user.Id * */ fetch( `/api/V3/ServiceCatalog/GetServiceCatalog/?userId=${session.user.Id}&isScoped=true`, {credentials:"same-origin"} ).then( response => response.json() ).then( data => console.log( "API", data.length ) ) // RESULT => 0 for my user, 50 for "normal" user
0
Best Answers
-
Sebastian_Hansen
Customer IT Monkey ✭
@john_doyle this seams correct. When running isScoped=false I get all the offerings in the entire SC regardless of user, so I ran a couple of tests on some users: Looks like not all have the session.user.Security.IsServiceCatalogScoped flag to "true". Whenever I fetch from the API with isScoped=true where user.Security.IsServiceCatalogScoped=false i get 0 rows as you hinted.
Although checking if the user is scoped "solves" my problem, I still do not know what exactly this scope refers to or what it means. E.g. how can I scope all my users, or make sure the below code is a good way of doing this:fetch( `/api/V3/ServiceCatalog/GetServiceCatalog/?userId=${session.user.Id}&isScoped=${session.user.Security.IsServiceCatalogScoped}`, {credentials:"same-origin"} ).then( response => response.json() ).then( data => console.log( "API", data.length ) )0 -
john_doyle
Cireson Support Ninja IT Monkey ✭✭✭✭
@Sebastian_Hansen
That is exactly how you should be doing it. You need to pass the values of both the user.Id and the user.Security.IsServiceCatalogScoped properties from the session.
5
Answers
Without looking at the code, I suspect you have unscoped access to the Service Catalog. There will be no entries in the Access_CI$User_ServiceOffering or Access_CI$User_ServiceOffering tables for your user id. By running the API with isScoped=true, you are joining to these tables with your user id. The result will yield zero rows.
What number do you get if you call the API with isScoped=false ?
Although checking if the user is scoped "solves" my problem, I still do not know what exactly this scope refers to or what it means. E.g. how can I scope all my users, or make sure the below code is a good way of doing this:
fetch( `/api/V3/ServiceCatalog/GetServiceCatalog/?userId=${session.user.Id}&isScoped=${session.user.Security.IsServiceCatalogScoped}`, {credentials:"same-origin"} ).then( response => response.json() ).then( data => console.log( "API", data.length ) )That is exactly how you should be doing it. You need to pass the values of both the user.Id and the user.Security.IsServiceCatalogScoped properties from the session.