Skip to main content

API returns 403 Forbidden even though no restrictions are applied

Some endpoints, such as the API for creating content (Topics::insert), require login for security reasons and cannot be accessed publicly. Please design them to be used after the login process or use custom processing to send requests to the endpoints.

There are several ways to use the endpoints with authentication using custom processing:

Using api_internal

You can use the api_internal plugin in the Api::request_api endpoint to call custom processing and use the api_internal plugin to send a request to the Topics::insert endpoint with the desired authentication information. In api_internal, you can execute the request with the specified member ID in an authenticated state by passing the member_id parameter.

Setting up custom processing

First, set the following code in the custom function:

{* Request body *}
{assign_array var='body' values=''}
{assign var='body.subject' value=$smarty.request.subject}

{api_internal
var='response'
status_var='status'
endpoint='/rcms-api/39/topics/insert'
method='POST'
queries=$body
member_id='1'}

{assign var=data value=$response}

Image from Gyazo

caution

For the /rcms-api/39/topics/insert endpoint, use the Topics::insert endpoint and set the authentication method of the API to "Dynamic Access Token".

Setting up the endpoint

Next, create the Api::request_api_post endpoint. Enter the identifier set in the custom processing in the name field. Also, make sure to set the API security to use a public authentication separate from /rcms-api/39/topics/insert.

Example:
Topics::insert: Set the API security to Dynamic Access Token.
Api::request_api_post: Set the API security to Cookie.

Image from Gyazo

When you hit the request_api_post endpoint in Swagger UI, you can see that the content is being added.

Image from Gyazo

Using pre-processing

Create a custom processing that logs in with a member ID that has the necessary permissions and retrieve the response by setting it as the pre-processing for the Topics::insert endpoint.

Setting up custom processing

First, set the following code in the custom processing. Please specify the member ID that has the permission to view the content definition.

{login member_id=1 overwrite=false} {* Log in as member_id:1 *}

Image from Gyazo

Setting up the endpoint

Next, set the added custom processing as the pre-processing for the Topics::insert endpoint.

Image from Gyazo

When you hit the endpoint in Swagger UI, you can see that the content is being added.

Image from Gyazo


Support

If you have any other questions, please contact us or check out Our Slack Community.