github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-06 00:22:42 -05:00
Code Issues 464 Packages Projects Releases 71 Wiki Activity

[GH-ISSUE #1423] API: Resrouce set users endpoint returns 403 when using root API Key #1902

New Issue
Closed
opened 2026-04-16 08:45:43 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-16 08:45:43 -05:00
Owner
Copy Link

Originally created by @yasalmasri on GitHub (Sep 7, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1423

Bug Description

Trying to add user to a resource through Pangolin API with root API Key, but it returns HTTP status code 403 with error message: Key does not have access to this organization, I tried to replicate the same request with organization API Key and it works with no error.

Steps to Reproduce

  • Create Root API Key with all permissions.
  • Make this request:
curl -X POST 'https://pangolin.domain.com/v1/resource/17/users' \
  --header 'Content-Type: application/json' \
  --data '{
  "userIds": [
    "USER_ID"
  ]
}' \
  --header 'Authorization: Bearer ROOT_API_KEY'
  • Response received:
{
  "data": null,
  "success": false,
  "error": true,
  "message": "Key does not have access to this organization",
  "status": 403,
  "stack": null
}

Actual Behavior

API request returns http status code 403.

Expected Behavior

API request should return 201 and user should be added to resource.

Environment

Pangolin Version: 1.9.4
Deployment: Docker (fosrl/pangolin)
OS: Ubuntu 24.10

Originally created by @yasalmasri on GitHub (Sep 7, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1423 ## Bug Description Trying to add user to a resource through Pangolin API with root API Key, but it returns HTTP status code 403 with error message: `Key does not have access to this organization`, I tried to replicate the same request with organization API Key and it works with no error. ## Steps to Reproduce - Create Root API Key with all permissions. - Make this request: ```bash curl -X POST 'https://pangolin.domain.com/v1/resource/17/users' \ --header 'Content-Type: application/json' \ --data '{ "userIds": [ "USER_ID" ] }' \ --header 'Authorization: Bearer ROOT_API_KEY' ``` - Response received: ```json { "data": null, "success": false, "error": true, "message": "Key does not have access to this organization", "status": 403, "stack": null } ``` ## Actual Behavior API request returns http status code 403. ## Expected Behavior API request should return 201 and user should be added to resource. ## Environment Pangolin Version: 1.9.4 Deployment: Docker (fosrl/pangolin) OS: Ubuntu 24.10
GiteaMirror commented 2026-04-16 08:45:45 -05:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (Sep 7, 2025):

Thanks for pointing this out! This will be fixed in the next release by
64722617c1

<!-- gh-comment-id:3263935368 --> @oschwartz10612 commented on GitHub (Sep 7, 2025): Thanks for pointing this out! This will be fixed in the next release by 64722617c1481f0694047ce250e5ab9945c10b2d
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#1902
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?