Cannot create a task on profile of another user

[link-transport-mickoz]

Hello,

I'm trying to create a task on user profile (content container, belonging to user\models\User object), but I'm receiving 403 Forbidden:

{
    "code": 403,
    "message": "You are not allowed to create task!"
}

I'm authenticating with bearer token of a user that belongs to Administrator group.
Creating task on my own profile works through the API.
I can also create a task for another user using the UI, but not the API.

Do I have to change some specific permission?
If it's not possible, can you suggest a workaround?

[ArchBlood]

Seems to me the following needs updated, note that I have not tested the modifications;

tasks/controllers/rest/TasksController.php

Lines 50 to 91 in 25c18da

	public function actionCreate($containerId)
	{
	$containerRecord = ContentContainer::findOne(['id' => $containerId]);
	if ($containerRecord === null) {
	return $this->returnError(404, 'Content container not found!');
	}
	/** @var ContentContainerActiveRecord $container */
	$container = $containerRecord->getPolymorphicRelation();
	if (! in_array(get_class($container), Yii::$app->getModule('tasks')->getContentContainerTypes()) ||
	! $container->permissionManager->can([CreateTask::class, ManageTasks::class])) {
	return $this->returnError(403, 'You are not allowed to create task!');
	}
	$taskParams = Yii::$app->request->post('Task', []);
	$taskForm = new TaskForm([
	'cal' => isset($taskParams['cal_mode']) ? $taskParams['cal_mode'] : null,
	'taskListId' => isset($taskParams['task_list_id']) ? $taskParams['task_list_id'] : null,
	'dateFormat' => 'php:Y-m-d',
	'timeFormat' => 'php:H:i',
	]);
	$taskForm->createNew($container);
	if (! $taskForm->task->content->canEdit()) {
	return $this->returnError(403, 'You are not allowed to edit this task!');
	}
	if ($this->saveTask($taskForm)) {
	return $this->returnContentDefinition(Task::findOne(['id' => $taskForm->task->id]));
	}
	if ($taskForm->hasErrors() || $taskForm->task->hasErrors()) {
	return $this->returnError(422, 'Validation failed', [
	'taskForm' => $taskForm->getErrors(),
	'task' => $taskForm->task->getErrors(),
	]);
	} else {
	Yii::error('Could not create validated task.', 'api');
	return $this->returnError(500, 'Internal error while save task!');
	}
	}

Modification

    public function actionCreate($containerId)
    {
        $containerRecord = ContentContainer::findOne(['id' => $containerId]);
        if ($containerRecord === null) {
            return $this->returnError(404, 'Content container not found!');
        }
        /** @var ContentContainerActiveRecord $container */
        $container = $containerRecord->getPolymorphicRelation();

        // Check if the user is an admin
        $isAdmin = Yii::$app->user->isAdmin();
        $hasPermission = $container->permissionManager->can([CreateTask::class, ManageTasks::class]);

        if (!in_array(get_class($container), Yii::$app->getModule('tasks')->getContentContainerTypes()) ||
            (!$isAdmin && !$hasPermission)) {
            return $this->returnError(403, 'You are not allowed to create task!');
        }

        $taskParams = Yii::$app->request->post('Task', []);

        $taskForm = new TaskForm([
            'cal' => isset($taskParams['cal_mode']) ? $taskParams['cal_mode'] : null,
            'taskListId' => isset($taskParams['task_list_id']) ? $taskParams['task_list_id'] : null,
            'dateFormat' => 'php:Y-m-d',
            'timeFormat' => 'php:H:i',
        ]);
        $taskForm->createNew($container);

        // Bypass the content edit check if the user is an admin
        if (!$isAdmin && !$taskForm->task->content->canEdit()) {
            return $this->returnError(403, 'You are not allowed to edit this task!');
        }

        if ($this->saveTask($taskForm)) {
            return $this->returnContentDefinition(Task::findOne(['id' => $taskForm->task->id]));
        }

        if ($taskForm->hasErrors() || $taskForm->task->hasErrors()) {
            return $this->returnError(422, 'Validation failed', [
                'taskForm' => $taskForm->getErrors(),
                'task' => $taskForm->task->getErrors(),
            ]);
        } else {
            Yii::error('Could not create validated task.', 'api');
            return $this->returnError(500, 'Internal error while save task!');
        }
    }

If actionCreate() has this issue then actionUpdate() may also have the same issue so the following may need done here as well;

tasks/controllers/rest/TasksController.php

Lines 93 to 123 in 25c18da

	public function actionUpdate($id)
	{
	$task = Task::findOne(['id' => $id]);
	if (! $task) {
	return $this->returnError(404, 'Task not found!');
	}
	$taskForm = new TaskForm([
	'task' => $task,
	'dateFormat' => 'php:Y-m-d',
	'timeFormat' => 'php:H:i',
	]);
	if (!$taskForm->task->content->canEdit()) {
	return $this->returnError(403, 'You are not allowed to update this task!');
	}
	if ($this->saveTask($taskForm)) {
	return $this->returnContentDefinition(Task::findOne(['id' => $taskForm->task->id]));
	}
	if ($taskForm->hasErrors() || $taskForm->task->hasErrors()) {
	return $this->returnError(422, 'Validation failed', [
	'taskForm' => $taskForm->getErrors(),
	'task' => $taskForm->task->getErrors(),
	]);
	} else {
	Yii::error('Could not update validated task.', 'api');
	return $this->returnError(500, 'Internal error while save task!');
	}
	}

Modification

public function actionUpdate($id)
{
    $task = Task::findOne(['id' => $id]);
    if (! $task) {
        return $this->returnError(404, 'Task not found!');
    }

    $taskForm = new TaskForm([
        'task' => $task,
        'dateFormat' => 'php:Y-m-d',
        'timeFormat' => 'php:H:i',
    ]);

    // Check if the user is an admin
    $isAdmin = Yii::$app->user->isAdmin();

    // Bypass the content edit check if the user is an admin
    if (!$isAdmin && !$taskForm->task->content->canEdit()) {
        return $this->returnError(403, 'You are not allowed to update this task!');
    }

    if ($this->saveTask($taskForm)) {
        return $this->returnContentDefinition(Task::findOne(['id' => $taskForm->task->id]));
    }

    if ($taskForm->hasErrors() || $taskForm->task->hasErrors()) {
        return $this->returnError(422, 'Validation failed', [
            'taskForm' => $taskForm->getErrors(),
            'task' => $taskForm->task->getErrors(),
        ]);
    } else {
        Yii::error('Could not update validated task.', 'api');
        return $this->returnError(500, 'Internal error while save task!');
    }
}

[link-transport-mickoz]

Thanks for the reply.
Right now, I got it to work by adding group to default allowed groups in

tasks/permissions/CreateTask.php

Lines 29 to 35 in 25c18da

	public $defaultAllowedGroups = [
	Space::USERGROUP_OWNER,
	Space::USERGROUP_ADMIN,
	Space::USERGROUP_MODERATOR,
	Space::USERGROUP_MEMBER,
	User::USERGROUP_SELF,
	];

public $defaultAllowedGroups = [
    Space::USERGROUP_OWNER,
    Space::USERGROUP_ADMIN,
    Space::USERGROUP_MODERATOR,
    Space::USERGROUP_MEMBER,
    User::USERGROUP_SELF,
    User::USERGROUP_USER // <--
];

Although from what I understand, now every user can create a task.

I'll try your changes and get back to you.

[link-transport-mickoz]

I changed methods, and tested out creating a task. Worked without issues.

Thanks for the help! Do you want to keep this issue open or should I close it?

[ArchBlood]

I believe we should keep it open till a P/R is merged to fix the issue.