Loading...
 
Skip to main content

API: Per-tracker permission tiki_p_admin_trackers not honored — 403 on GET /api/trackers/{id}/items

Status
Closed
Subject
API: Per-tracker permission tiki_p_admin_trackers not honored — 403 on GET /api/trackers/{id}/items
Version
29.x
Category
  • Error
Feature
All / Undefined
Resolution status
Fix on the Way
Submitted by
Bernard Sfez / Tiki Specialist
Volunteered to solve
Ushindi Gedeon
Lastmod by
Bernard Sfez / Tiki Specialist
Rating
(0)
Description

When tiki_p_admin_trackers is granted at the per-tracker level (tracker-specific permission), the REST API returns 403.

The same permission granted at the global level works correctly.

Steps to reproduce:
Create a user and generate an API token
Assign tiki_p_admin_trackers to the user's group only for tracker ID 1 (per-tracker permission)
Call:

curl -X 'GET' \
'https://wiki.is-il.org.il/api/trackers/1' \
-H 'accept: application/json' \
-H 'Authorization: Bearer TOKEN_HERE'

Response: {"code":403,"errortitle":"Reserved for tracker administrators"}

If you set tiki_p_admin_trackers as a global permission instead of per-tracker for the same user group and you use the same tracker it work as expected.
{"trackerId":1,"offset":-1,"maxRecords":-1,"result":[{"itemId":4...

Solution
Workaround
Importance
5
Easy to solve?
5
Priority
25
Demonstrate Bug on Tiki 19+
Demonstrate Bug (older Tiki versions)
Ticket ID
8975
Reviewed by Wishlist Team On
15 May 26 09:46 UTC
Created
Monday 04 May, 2026 20:40:17 UTC
by Bernard Sfez / Tiki Specialist
LastModif
Saturday 27 June, 2026 04:32:41 UTC


Show PHP error messages