Hi, sorry if this question is already answered somewhere but I looked through the docs and support requests and did not see an answer.

When trying to access Services, namely doing a node.load, using a module such as GET Server or REST Server, I am given a Access Denied or Forbidden if Node module - Access Content is not set to allow Anonymous Users. It simply returns a permission denied, even though using API Keys.
Turning on Anonymous access to Content allows for it to work.

Is this the way it is supposed to work? If so, is there a different way to go about this in order to use Services without allowing access to content to anonymous users? Thanks for any help.

Comments

amitaibu’s picture

Component: Code » Documentation
Status: Active » Postponed (maintainer needs more info)

You have the 'access services' which you need to set to anonymous, and then every service has it's own permission (e.g. 'load raw node data').

coderintherye’s picture

Component: Documentation » Code
Status: Postponed (maintainer needs more info) » Active

I'm setting this back to active. I have Services set to Anonymous and Load Raw Node Data set to anonymous and still get permission denied no matter what unless I turn Content on to Anonymous Access. I may be doing something wrong, but your suggested solution is not the answer.

marcingy’s picture

What settings do you have enabled under the keys tab in the admin section of services?

coderintherye’s picture

There are no settings under the Keys tab in the admin section of services, at least in my installation.

I have:

"An API key is required to allow an application to access Drupal remotely."

Then there is a table with "Key" "Title" "Domain" "Operations" I have tried creating a key here and using it to no avail, always permission denied unless Anonymous access to Content is allowed.

Now, if you meant under the 'Settings' Tab under Services. I have 'Use keys' checked. I have tried all combinations of having the three Security checkboxes checked or unchecked and always get permission denied unless Anonymous access is enabled.

marcingy’s picture

The api keys do not relate to user and hence this will return access denied unless annoymous access is set. You would need to carry out the following steps to prevent the annoymous error. Pass in a user name and password using user.login. Then call the node.load service passing in the session id that has been generated. A change has been raised which if worked upon will API keys to users which could then overcome the need for the login step - http://drupal.org/node/277248

coderintherye’s picture

Category: support » feature

Ok, I am changing to a feature request. For my purposes this module is fairly useless without being able to use API Keys without allowing anonymous access to Content. I am using a GET Request to get updated nodes and output them to a static HTML Website. There is sensitive information and such on the Drupal Server, hence one of the reasons (although not my choice) to push it out to a static server. If anyone can see content on the Drupal server than this defeats the security of those sensitive pages. Perhaps though this is also an issue for Core regarding accessing Content, if you have multiple content types, why not be able to just set 'access content' permission for each content type, (i.e., access blog content). Thanks for considering this added feature in your future releases.

amitaibu’s picture

@anarchman,
Maybe this module will help you - it allows you to set access per content type. http://drupal.org/project/content_access

coderintherye’s picture

Amitaibu,

Excellent, hadn't seen that before, I will give it a go tomorrow and see if it works for this situation.

brmassa’s picture

Version: 5.x-0.91 » 6.x-0.10
Status: Active » Fixed

Guys,

fixed.

regards,

massa

Anonymous’s picture

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.