Why is the API is returning inconsistent responses vs. home page visuals per user?

Sebastian_HansenSebastian_Hansen Customer IT Monkey ✭
edited December 2017 in General Discussion
I'm calling GetServiceCatalog in the API V3.
https://support.cireson.com/Help/Api/GET-api-V3-ServiceCatalog-GetServiceCatalog_userId_isScoped

Consider the code example below (feel free to copy paste it in your console).

When running this as "me" with my user, it gives inconsistency: API: 0, _root: 64.
When running it as a "normal" user, it gives the same amount of forms every time: API: 50, _root: 50

What am I missing here? Why does the API not respect access permissions in the same way as the core Cireson endpoint?

/*
* Fetching from Root
* ------------------
* Call fetch on the same endpoint the Cireson portal uses
* Send credentials only.
*
* @input credentials = "same-origin"
* 
*/

fetch(
 "/ServiceCatalog/GetServiceCatalog/",
 {credentials:"same-origin"}
).then(
 response => response.json()
).then(
 response => console.log( "_root", response.Data.length )
);

// RESULT => 64 for my user, 50 for "normal" user.


/*
* Fetching from API v3
* --------------------
* Call fetch on the API endpoint
* Send credentials, user data and scope data.
* 
* @input credentials = "same-origin"
* @input isScoped = true
* @input userId = session.user.Id
* 
*/
fetch(
 `/api/V3/ServiceCatalog/GetServiceCatalog/?userId=${session.user.Id}&isScoped=true`,
 {credentials:"same-origin"}
).then(
 response => response.json()
).then(
 data => console.log( "API", data.length )
)

// RESULT => 0 for my user, 50 for "normal" user

Best Answers

  • Sebastian_HansenSebastian_Hansen Customer IT Monkey ✭
    edited December 2017 Accepted Answer
    @john_doyle this seams correct. When running isScoped=false I get all the offerings in the entire SC regardless of user, so I ran a couple of tests on some users: Looks like not all have the session.user.Security.IsServiceCatalogScoped flag to "true". Whenever I fetch from the API with isScoped=true where user.Security.IsServiceCatalogScoped=false i get 0 rows as you hinted.

    Although checking if the user is scoped "solves" my problem, I still do not know what exactly this scope refers to or what it means. E.g. how can I scope all my users, or make sure the below code is a good way of doing this:

    fetch(
     `/api/V3/ServiceCatalog/GetServiceCatalog/?userId=${session.user.Id}&isScoped=${session.user.Security.IsServiceCatalogScoped}`,
     {credentials:"same-origin"}
    ).then(
     response => response.json()
    ).then(
     data => console.log( "API", data.length )
    )

Answers

  • john_doylejohn_doyle Cireson Support Ninja IT Monkey ✭✭✭✭
    Hi @Sebastian_Hansen ;

    Without looking at the code, I suspect you have unscoped access to the Service Catalog. There will be no entries in the Access_CI$User_ServiceOffering or Access_CI$User_ServiceOffering tables for your user id. By running the API with isScoped=true, you are joining to these tables with your user id. The result will yield zero rows.

    What number do you get if you call the API with isScoped=false ?


  • Sebastian_HansenSebastian_Hansen Customer IT Monkey ✭
    edited December 2017 Accepted Answer
    @john_doyle this seams correct. When running isScoped=false I get all the offerings in the entire SC regardless of user, so I ran a couple of tests on some users: Looks like not all have the session.user.Security.IsServiceCatalogScoped flag to "true". Whenever I fetch from the API with isScoped=true where user.Security.IsServiceCatalogScoped=false i get 0 rows as you hinted.

    Although checking if the user is scoped "solves" my problem, I still do not know what exactly this scope refers to or what it means. E.g. how can I scope all my users, or make sure the below code is a good way of doing this:

    fetch(
     `/api/V3/ServiceCatalog/GetServiceCatalog/?userId=${session.user.Id}&isScoped=${session.user.Security.IsServiceCatalogScoped}`,
     {credentials:"same-origin"}
    ).then(
     response => response.json()
    ).then(
     data => console.log( "API", data.length )
    )
Sign In or Register to comment.