|
Robby Gunawan
|
May 13, 2021 at 9:49 am
Hi,
I just renew my subscription just to ask my problem (my last version 4.9.79p),
I can’t access http://<mydoman>/wp-json/ee/v4.8.36/events/8/registrations
it shows error
{
"code": "rest_registrations_cannot_list",
"message": "Sorry, you are not allowed to list registrations related to Event. Missing permissions: ee_read_registrations,ee_read_others_registrations",
"data": {
"status": 403
}
}
But when I login from android app it works, can show my detail events
I thought it was a bug in that version and fix in the next release, but I got the same error
|
|
Tony
|
May 13, 2021 at 1:39 pm
Hi there,
This isn’t a bug as /registrations/ would be considered private data (it’s your registration data and should not be publicly accessible) so requires authentication, which you do within the app when you log in but not with Postman.
We have some details on authentication through the REST API here:
https://github.com/eventespresso/event-espresso-core/blob/master/docs/C–REST-API/ee4-rest-api-introduction.md#authentication
In Postman you can test this by first going to the Authorization tab for your request and select Basic Auth. Add your login details for the site to the fields and then send the request.
Examples, no Auth: https://monosnap.com/file/ZDDRlJBCrkpuahIdgE8NYUInI0jkTH
With Basic Auth: https://monosnap.com/file/P2xvQXGGZU9J4QAAkviBa1HadwYLk3
|
|
Robby Gunawan
|
May 13, 2021 at 3:09 pm
I’m already did put the authentication
https://ibb.co/LQpTt5p
I’m using network site, using AWS EC2, already disabled iThemes security plugin, but still same problem, only works if using android application but in postman failed
|
|
Tony
|
May 13, 2021 at 4:00 pm
So the above error normally means something is either stripping out the authorization header or blocking the request.
Install the RESP API Log plugin: https://en-gb.wordpress.org/plugins/wp-rest-api-log/
Send the request to the site again using Postman, do you get a log entry?
If so, open it up and check the authorization header is listed in Request headers section.
|
|
Robby Gunawan
|
May 13, 2021 at 6:10 pm
here is my request header section
{
"connection": "keep-alive",
"accept_encoding": "gzip, deflate, br",
"host": "mydomain",
"postman_token": "d1d703be-3105-4c56-88a2-e6664a26899e",
"cache_control": "no-cache",
"accept": "*\/*",
"user_agent": "PostmanRuntime\/7.28.0"
}
|
|
Tony
|
May 14, 2021 at 2:54 am
Yeah, so there’s no authorization header there. You should have something like this:
{
"accept": "*\/*",
"accept_encoding": "gzip, deflate, br",
"authorization": "Basic {removed}=",
"connection": "keep-alive",
"host": "{domain}",
"referer": "{domain}",
"user_agent": "PostmanRuntime\/7.28.0",
"postman_token": "{token}"
}
Within the Android app, are you just viewing the event details or are you viewing attendees? Event details are public details, they don’t require authentication to view them, for example:
http:///wp-json/ee/v4.8.36/events/8/
Would show the event details for event ID 8 without any authentication needed at all, which means in the android app if are just loading the event details to check it works, you’re not comparing the same requests.
On the app, click on the event, then click on ‘attendees’, does it list the attendees or show the same error as above?
|
|
Robby Gunawan
|
May 14, 2021 at 7:22 am
in my android app it shows the attendees
https://ibb.co/kKsSr
or I missing something in postman?
|
|
Tony
|
May 14, 2021 at 7:51 am
That link doesn’t work for me (shows an image from Windows XP)
I can’t see issue with postman in the screenshot.
What domain are you running this on? (You can mark your reply private so only EE staff can view it)
|
|
Robby Gunawan
|
May 14, 2021 at 7:53 am
This reply has been marked as private.
|
|
Robby Gunawan
|
May 14, 2021 at 7:56 am
sorry, i’m wrong copy paste the images, here is the correct one
https://ibb.co/7rxbYCT
|
|
Robby Gunawan
|
May 14, 2021 at 7:58 am
This reply has been marked as private.
|
|
Robby Gunawan
|
May 14, 2021 at 8:04 am
This reply has been marked as private.
|
|
Tony
|
May 14, 2021 at 10:12 am
Ok, so yes, your server isn’t allowing for the Authorization header, it’s being stripped out before the request hits the site.
The apps are passing that over as part of the query as a workaround for this but Postman doesn’t.
If you add ?_authorization={Basic Auth string} to the end of the query string, the request works.
I’m not making any changes to your server/files, but I saw you had WP File Manager installed so had a look at your .htaccess file. It has this section commented out:
# Begin Custom htaccess
#SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
# End Custom htaccess
Is that change from a previous fix or did you try that and it didn’t work?
|
|
Robby Gunawan
|
May 14, 2021 at 10:20 am
yes, I’m comment out it, still the same result with or without SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
|
|
Robby Gunawan
|
May 14, 2021 at 10:22 am
what is string in the ?_authorization={Basic Auth string}
is it something like wp-json/ee/v4.8.36/events/51/registrations?_authorization={Basic Auth string} ?
|
|
Robby Gunawan
|
May 14, 2021 at 10:40 am
Hi Tony,
Found the solution based on your comment your server isn’t allowing for the Authorization header,
since I’m using bitnami, then I search and found the solution here https://community.bitnami.com/t/how-can-enable-http-authorization-for-rest-api/72383
you can close this post.
thanks
|
|
Tony
|
May 14, 2021 at 11:00 am
Nice find and thanks for keeping us updated 🙂
|
