Description of issue or problem I’m having:
I want to retrieve submission details using the REST API but get a 403, even though I am a site admin. Listing all submissions works for the user.
I assumed an admin can access all data.
Steps I took leading up to the issue:
- I followed these steps described here to make sure I am a site admin.
- I created an API token for the user.
- I used Postman to first retrieve the list of submissions, after selecting a specific submission (
/api/v1/submissions/700) from a href tag, I get a 403.
{
"error": "api.403.unauthorized",
"errorMessage": "Sie sind nicht berechtigt auf die angeforderte Quelle zuzugreifen."
}
Application Version
OMP 3.3.0.11.
Hi @dersmon,
I don’t have any OMP installation right now to try it, but at least for OJS admin users can access just some endpoints. To access /api/v1/submissions/700 you should be enrolled as a Journal Manager. So I guess you may try your query as a Press Manager on OMP.
Regards,
Gonzalo
Is there any documentation about which roles are required for what endpoint or is the only way to determine those roles checking the code? For example: pkp-lib/PKPSubmissionHandler.inc.php at 68513843bf33f1ccf61c3826f0d04475d7052170 · pkp/pkp-lib · GitHub
What is the reasoning behind allowing admins the submissions list but not the single submissions?
Besides checking the code, there’s an API documentation:
REST API Usage Guide
REST API documentation for v3.3
Keep in mind these lines about OMP-OJS API documentation (here):
Documentation for the REST APIs in OMP and OPS is not yet available. These applications share many of the same endpoints as OJS, but the documentation has not yet been prepared.
Hope this helps
That’s where I checked initially but did not find any information regarding access rights.