User permissions applied to OAUTH logins?

Hi, just noticed that when I do OAUTH login with a user who does not have access to groups or member details, they are still able to retrieve all groups and all the phone numbers for members of those groups using the API. Just checking if this is intented functionality? I assumed that OAUTH logins would be different from using the API key - i.e. that the user's own permissions would be applied.

Thanks and regards,


p.s. I logged in with OAUTH using our test user, 'john.imaginary'.

Posted by jon_guyer

Thanks Jon. Not they shouldn't have access. I'll get the team to look into it and ensure the hole is plugged :)

Have a great weekend


Posted by ben

Hi John,

Just did some tests and it seems to be working as expected. Can you perhaps generate new auth tokens to ensure everything is set-up your end? I am receiving the following JSON response when I have not granted a user permission:

[code]{'generated_in':'0.022','status':'fail','error':{'code':401,'message':'Access has not been granted for this method.'}}[/code]



Posted by ben

Hi Ben, thanks for testing, and maybe I'm confused about which API requests link to which user permissions.

Here's exactly what I'm doing:

I re-log in using OAUTH as john.imaginary, and get the new tokens:

[code]02-15 17:27:27.909: D/Auth(23121): oauth Token=d67.............
02-15 17:27:27.909: D/Auth(23121): oauth Refresh=86f.......
02-15 17:27:27.909: D/Auth(23121): oauth Expires=2014 Mar 01 17:27:27 GMT+11:00[/code]

Then I request the current user just to make sure I am logged in as that user:

[code]{'generated_in':'0.303','status':'ok','person':[{'id':'61addfae-1a95-11e3-99d1-f98cd173cdaa','date_added':'2013-09-11 03:51:04','date_modified':'2014-02-15 06:27:01','category_id':'3bf2a0c2-b089-11e2-9d32-1cdaf3332316','firstname':'John','lastname':'Imaginary'...[/code]

Now, that user does not have 'allow access to groups' privilege, but I request a list of all groups. I was expecting a request failure as above, but I seem to get the full list.

Then I request a list of the users in a specific group from that list, but that user does not have 'allow access to people', so I guess I would expect a request failure or an empty list, but I seem to get a full list including contact details of the people in the group.

[code]'generated_in':'0.303','status':'ok','group':[{'id':'ca4f507e-5b27-11e3-963d-e9c9319b7782','date_added':'2013-12-02 08:00:20','date_modified':'2013-12-27 11:06:02','name':'Test Group','status':'Active','meeting_address':'2 Highbury St','meeting_city':'Croydon','meeting_postcode':'2132','meeting_country':'Australia','meeting_day':'Tuesday','meeting_time':'7:00 PM','meeting_frequency':'Every Week','people':{'person':[{'id':'0f7704b4-1468-11e3-99d1-f98cd173cdaa','firstname':'Julie','lastname':'Guyer'...[/code]

No need to verify all this. I'm happy to take your word for it that the API implements the same permissions as the website - just want to give you all the data.



Posted by jon_guyer

Thanks Jon,

Can you email your auth token and refresh token to [support at elvanto dot com]? I'll look up the database and ensure the permissions are saving correctly :)

Talk soon


Posted by ben

Login or Signup to post a comment