Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

admin-api activeChannel Query Returns "FORBIDDEN" for Logged-in Users #3262

Open
yazfield opened this issue Dec 5, 2024 · 1 comment
Open

admin-api activeChannel Query Returns "FORBIDDEN" for Logged-in Users #3262

yazfield opened this issue Dec 5, 2024 · 1 comment
Labels
type: bug 🐛 Something isn't working

Comments

@yazfield
Copy link
Contributor

yazfield commented Dec 5, 2024
edited
Loading

Describe the bug
First of all, not sure if this is a bug or I'm missing something.
I'm trying to login using the admin-api and perform some queries as a seller account and show his channel information.
The ActiveChannel query returns a "You are not currently authorized to perform this action" (FORBIDDEN) error unless the user is logged in as an administrator.

So this prevents seller users from retrieving their active channel, even if they are authenticated and assigned to a channel.

To Reproduce
Steps to reproduce the behavior:

Log in using the login mutation with valid seller scredentials:

mutation Login {
  login(username: "[email protected]", password: "123123") {
    ...on CurrentUser {
      id
      identifier
    }
    ...on ErrorResult {
      errorCode
      message
    }
  }
}

Response:

{
  "data": {
    "login": {
      "id": "2",
      "identifier": "[email protected]"
    }
  }
}

Attempt to fetch the active channel using the ActiveChannel query:

query ActiveChannel {
  activeChannel {
    id
  }
}

Response:

{
  "errors": [
    {
      "message": "You are not currently authorized to perform this action",
      "locations": [
        {
          "line": 28,
          "column": 3
        }
      ],
      "path": ["activeChannel"],
      "extensions": {
        "code": "FORBIDDEN"
      }
    }
  ],
  "data": null
}

Expected behavior
The ActiveChannel query should return the active channel for any authenticated user, not only for administrators.

Environment (please complete the following information):

  • @vendure/core version: 3.0.4
  • Nodejs version v20.8.1
  • Database (mysql/postgres etc):postgres

Additional context

I want to build an admin panel for the sellers in a multi vendor setup, i need channel information of currently logged in user
@yazfield yazfield added the type: bug 🐛 Something isn't working label Dec 5, 2024
@yazfield
Copy link
Contributor Author

yazfield commented Dec 7, 2024
edited
Loading

After investigating i found that in admin-ui the mutation SetActiveChannel is called

mutation SetActiveChannel($channelId: ID!) {
    setActiveChannel(channelId: $channelId) @client {
        ...UserStatus
    }
}

i tried to use it on admin-api playground and got this error saying the mutation doesn't exist:

{
  "error": {
    "errors": [
      {
        "message": "Cannot query field \"setActiveChannel\" on type \"Mutation\". Did you mean \"createChannel\", \"deleteChannel\", \"updateChannel\", or \"deleteChannels\"?",
        "locations": [
          {
            "line": 73,
            "column": 3
          }
        ],
        "extensions": {
          "http": {
            "status": 400,
            "headers": {}
          },
          "code": "GRAPHQL_VALIDATION_FAILED"
        }
      }
    ]
  }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug 🐛 Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yazfield