403 Forbidden when creating a Vendor
56 views
Skip to first unread message
Ricky Manriquez
Apr 5, 2017, 5:17:59 PM4/5/17
to Lightspeed Retail API Developers
Creating a vendor suddenly stopped working from my app. It had been working fine for almost a year. I am now getting a 403 Forbidden error.
POST /API/Account/<account id>/Vendor
I thought it might be an expired Oauth token, so I generated a new access token but I'm still getting the same error.
This is my request:
{:name=>"foo", :timeStamp=>"2017-04-05T14:10:24-07:00"}
Full response:
<?xml version="1.0"?>
<Error><httpCode>403</httpCode><httpMessage>Forbidden</httpMessage><message>Not Authorized: Insufficient rights to perform the request</message><errorClass>InsufficientRightsError</errorClass></Error>
i've also tried passing in XML, but getting the same response. XML:
<?xml version="1.0"?>
<Vendor>
<name>foo</name>
<timeStamp>2017-04-05T14:10:24-07:00</timeStamp>
</Vendor>
For reference, here the Lightspeed definition for a 403:
| 403 | Forbidden The request was a valid request, but the server is refusing to respond to it. Unlike a 401 Unauthorized response, authenticating will make no difference |
Anything I can do? Thanks in advance.
Ricky Manriquez
Apr 7, 2017, 3:33:27 PM4/7/17
to Lightspeed Retail API Developers
After contacting Lightspeed support, I was able to get to the root of the problem, which was that someone else on my project had changed permissions for the Employee Role, and I was unaware of it.
The access you have also depends on the employee's rights. It will check your token's scope, then the employee's rights and only requests that are allowed by both will go through.
Someone must have changed the employee's rights in Lightspeed Retail. You'll need to contact them and ask them to change the rights back, or reauthorize to get a new token with a different user.
The way you can test your Oauth token to see what roles it has is making a GET request to /API/Session . Mine was missing "vendor" under "Rights".
For anyone else with this problem, you can modify Employee Roles under Settings on Lightspeed's retail UI.
Here is the exact response that was emailed to me in case it helps anyone else:
A 403 should mean one of two things:
- Your token's scope doesn't include access to vendors.
- The employee that granted the token doesn't have the rights to access to vendors.
It sounds like your token has the right scope, but someone may have changed the rights for the employee that granted it. You can make a call the
/API/Session endpoint to see which employee it is and their rights. You'll see "vendors": "true" if they have access to vendors. If you don't see "vendors" at all, it means they don't have that right.-----
The access you have also depends on the employee's rights. It will check your token's scope, then the employee's rights and only requests that are allowed by both will go through.
Someone must have changed the employee's rights in Lightspeed Retail. You'll need to contact them and ask them to change the rights back, or reauthorize to get a new token with a different user.
----
Reply all
Reply to author
Forward
0 new messages