Why don't I seem to have role based access to API from a logged in session?
Hello,
I am using a javscript file hosted in public files and a widget to prototype a tool for our school.
I use replace strings to create a global variable with the org unit id that my javascript can access.
I am able to use the org unit id to create API urls that allow me to retrieve information about the course (for instance).
However, this approach only seems to work for GET requests and read only endpoints.
When using the same approach for a POST or PUT endpoint I get 403 Forbidden.
Why is it that the the GET requests can determine, say, what Org Unit Ids I am able to view the Table of Contents for, but the POST requests are not able to determine that the logged in user initiating the request has, for instance, Manage Files Create, Upload and Delete permissions for the given Org Unit?
Thanks for any info.
Answers
-
I've found an answer in this thread:
https://community.d2l.com/brightspace/discussion/473/what-is-the-proper-format-for-making-an-ajax-put-request