What's the right way to handle user rights in Axios?

💻 Development
,
1

I’ve been using a plain Axios ‘get’ command to fetch files and their information in my application:

public async getFileInfo(fileId: string): Promise<NextcloudFile>{
	var url = generateUrl('/apps/files_bpm/page/getFileInfo?fileId='+fileId);
	const response = await axios.get(url);
	return response.data;
}

But this throws a 403 forbidden error when a regular user tries to open a file (Edit to clarify: this runs correctly for admin users). Is there an example of a way I should be doing this instead? I’ve looked at the tutorials, and some of the existing apps, but I keep getting too confused.

Controller construction:

	private IRootFolder $storage;
	private $logger;

	
	public function __construct($AppName, 
					IRequest $request, 
					IRootFolder 
					$storage, 
					$UserId,
					ILogger $logger){
		parent::__construct($AppName, $request);
		$this->userId = $UserId;
		$this->storage = $storage;
	}

I know this is wrong, I just can’t find an example simple enough that I can understand it.
(The full app is here)

2

Is this a plain axios or an instance of the @ nextcloud/axios package? The latter should handle the authentication for you if the user is already logged in.

Unfortunately, you did not describe the use case, so I am guessing you are developing an app for NC and right now on the frontend part. If this is wrong, please clarify the use case.

1 Like
3

Yes, it’s a frontend use of the @nextcloud/axios package, sorry. And that’s what’s odd - I’m pretty sure it’s authenticating the user, since this works fine if the logged-in user is an admin. I’m just trying to fetch a file’s content and metadata from my javascript frontend.
Edit: However, I’ve also tested this with a simplified function:

public function testDummy($fileId){
		$message = 'This is only a test. File ID: '+$fileId;
		return new DataResponse(['message'=> $message], 418);
	}

And I still get 403 forbidden for a regular user.

4

This is in your own controller?
Did you put an attribute or annotation (e.g #NoAdminRequired)?

See also Controllers — Nextcloud latest Developer Manual latest documentation

5

That’s it. I thought those were comments. Thank you, and sorry for the dumb question

6

No problem. I oversee these at the beginning as well. I was just curious about the dumb comment (not really human friendly).