Solved: the endpoint api "/actions/change-owner" is not wo... - Qlik Community

Idriss_BENBASSOU · ‎2024-12-03

Hello,

I'm facing a weird behavior when using the endpoint : "/v1/apps/{appId}/objects/{objectId}/actions/change-owner" [POST]. When I use it in JavaScript with the classic fetch fonction, I consistently get a 403 error. However, when I run the same request in Postman, it works fine. By 'same,' I mean the same API token, object, application, content-type and ownerId.

For information, I am using a user who is both the admin and the owner of the application and the object. So, what am I missing? This is the only endpoint that isn't working correctly. For example, if I try /v1/apps to fetch all applications, it works fine.

The request :

  fetch("https://<tenant>/api/v1/apps/<app_id>/objects/<sheet_id>/actions/change-owner", {
    method: "POST",
	body: JSON.stringify({
		"ownerId": "<ID>"
	}),
    headers: {
      "Content-Type": "application/json",
	  "Authorization":"Bearer <token>"
    },
  })
    .then((res) => res.json())
    .then((data) => {
		console.log(data);
})
    .catch((error) => console.error("Error:", error));

DaveChannon · ‎2024-12-04

If you're doing this in the browser context, you'll need to send the csrf token with the request, e.g.


fetch("https://<tenant>/api/v1/apps/<app_id>/objects/<sheet_id>/actions/change-owner", {
method: "POST",
body: JSON.stringify({
"ownerId": "<ID>"
}),
headers: {
"Content-Type": "application/json",
"Authorization":"Bearer <token>",
"qlik-csrf-token": "<csrf-token>"
},
})
.then((res) => res.json())
.then((data) => {
console.log(data);
})
.catch((error) => console.error("Error:", error));

The CSRF token can be retrieved from https://qlik.dev/apis/rest/csrf-token/#get-v1-csrf-token

If you're doing this as a helper in a window that's already auth'd (i.e. you have the cookie), I guess you could do it without the Auth header too (depends on your implementation).

View solution in original post

DaveChannon · ‎2024-12-04

If you're doing this in the browser context, you'll need to send the csrf token with the request, e.g.


fetch("https://<tenant>/api/v1/apps/<app_id>/objects/<sheet_id>/actions/change-owner", {
method: "POST",
body: JSON.stringify({
"ownerId": "<ID>"
}),
headers: {
"Content-Type": "application/json",
"Authorization":"Bearer <token>",
"qlik-csrf-token": "<csrf-token>"
},
})
.then((res) => res.json())
.then((data) => {
console.log(data);
})
.catch((error) => console.error("Error:", error));

The CSRF token can be retrieved from https://qlik.dev/apis/rest/csrf-token/#get-v1-csrf-token

If you're doing this as a helper in a window that's already auth'd (i.e. you have the cookie), I guess you could do it without the Auth header too (depends on your implementation).

Idriss_BENBASSOU · ‎2024-12-05

Thank you for your help. It is now working after adding the "qlik-csrf-token" to the header. You might consider adding this to the documentation.

https://qlik.dev/apis/rest/apps/#post-v1-apps-appId-objects-objectId-actions-change-owner

DaveChannon · ‎2024-12-06

I'll add a task to document CRSF requirements in general when making browser requests vs external client requests.

the endpoint api "/actions/change-owner" is not working as expected in browser

Cloud

Qlik Sense