API with group permission does not work

[cfelbertp]

Hi,

I enabled the API access and get the content of a single page, e.g.:

{
  pages {
    single (id: 15) {
      path
      title
      content
      createdAt
      updatedAt
    }
  }
}

Then I created a new API key and selected a group for permissions. I assigned all available permission in the content section.

Under page rules, I configured the following:

Allow read:pages, read:source, read:history, read:asset
Path starts with | any locale | /

When posting the request, I receive a 200: 'You are not authorized to view this page.' It does not matter what id I use. I also tried to configure the exact path of pages I tried to fetch. But I get a list of all pages posting:

{
  pages {
    list (orderBy: TITLE) {
      id
      path
      title
    }
  }
}

I use Wiki.JS 2.5.297 on Cloudron 7.3.6

[rrg92]

You give the group same equivalent system level permission?

[cfelbertp]

@rrg92, I assigned all available permissions in the content section to this group.

[cfelbertp]

The rules/permissions work for the list query, but I cannot access any single page.

[cfelbertp]

Does no one have this problem or is there a lack of information to better understand the issue?

[gcleaves]

I have the same problem. The API token created with a group cannot view a page even if web users of the group have access to read the page.

An API token with full permission is able to view the page.

[cfelbertp]

Very strange that even after weeks, there is no reaction whether this is a bug and whether it will be fixed.

[MetallicGoat]

Having the same difficulties here.

[MrEAlderson]

One way to overcome this would be to grant full access when creating the key. But that's not really a proper solution...

[jprevost-pro]

I'm experiencing the same issue.
I'm able to list all pages but get a PageViewForbidden 6013 exception

[l7s]

Same problem here. I'm able to list all pages but get a PageViewForbidden 6013 exception for query like below:

{ pages { single(id: PAGE_ID) { id path title locale updatedAt } }}

[NellsRelo]

I ran into this as well, but was able to get it working by giving the group Manage Page permissions. This isn't an ideal solution, as the API key could be then used to move or rename pages, but may shed light on the nature of the bug

[bullno1]

It explicitly checks for manage:pages and delete:pages' here: https://github.com/requarks/wiki/blob/main/server/graph/resolvers/page.js#L155