Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Global Transformation Awards! Applications are now open. Submit Entry
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Idriss_BENBASSOU
Partner - Contributor
Partner - Contributor
a week ago

the endpoint api "/actions/change-owner" is not working as expected in browser

Hello,

I'm facing a weird behavior when using the endpoint : "/v1/apps/{appId}/objects/{objectId}/actions/change-owner" [POST]. When I use it in JavaScript with the classic fetch fonction, I consistently get a 403 error. However, when I run the same request in Postman, it works fine. By 'same,' I mean the same API token, object, application, content-type and ownerId.

 
For information, I am using a user who is both the admin and the owner of the application and the object. So, what am I missing? This is the only endpoint that isn't working correctly. For example, if I try /v1/apps to fetch all applications, it works fine.
 
The request :
  fetch("https://<tenant>/api/v1/apps/<app_id>/objects/<sheet_id>/actions/change-owner", {
    method: "POST",
	body: JSON.stringify({
		"ownerId": "<ID>"
	}),
    headers: {
      "Content-Type": "application/json",
	  "Authorization":"Bearer <token>"
    },
  })
    .then((res) => res.json())
    .then((data) => {
		console.log(data);
})
    .catch((error) => console.error("Error:", error));
Labels (2)
Labels
166 Views
0 Likes
1 Solution

Accepted Solutions
DaveChannon
Employee
Employee
a week ago

If you're doing this in the browser context, you'll need to send the csrf token with the request, e.g.

 


fetch("https://<tenant>/api/v1/apps/<app_id>/objects/<sheet_id>/actions/change-owner", {
method: "POST",
body: JSON.stringify({
"ownerId": "<ID>"
}),
headers: {
"Content-Type": "application/json",
"Authorization":"Bearer <token>",
"qlik-csrf-token": "<csrf-token>"
},
})
.then((res) => res.json())
.then((data) => {
console.log(data);
})
.catch((error) => console.error("Error:", error));

 The CSRF token can be retrieved from https://qlik.dev/apis/rest/csrf-token/#get-v1-csrf-token

 

If you're doing this as a helper in a window that's already auth'd (i.e. you have the cookie), I guess you could do it without the Auth header too (depends on your implementation).

View solution in original post

117 Views
0 Likes
3 Replies
DaveChannon
Employee
Employee
a week ago

If you're doing this in the browser context, you'll need to send the csrf token with the request, e.g.

 


fetch("https://<tenant>/api/v1/apps/<app_id>/objects/<sheet_id>/actions/change-owner", {
method: "POST",
body: JSON.stringify({
"ownerId": "<ID>"
}),
headers: {
"Content-Type": "application/json",
"Authorization":"Bearer <token>",
"qlik-csrf-token": "<csrf-token>"
},
})
.then((res) => res.json())
.then((data) => {
console.log(data);
})
.catch((error) => console.error("Error:", error));

 The CSRF token can be retrieved from https://qlik.dev/apis/rest/csrf-token/#get-v1-csrf-token

 

If you're doing this as a helper in a window that's already auth'd (i.e. you have the cookie), I guess you could do it without the Auth header too (depends on your implementation).

118 Views
0 Likes
Idriss_BENBASSOU
Partner - Contributor
Partner - Contributor
Thursday
Author

In response to DaveChannon

Thank you for your help. It is now working after adding the "qlik-csrf-token" to the header. You might consider adding this to the documentation.

https://qlik.dev/apis/rest/apps/#post-v1-apps-appId-objects-objectId-actions-change-owner

 

97 Views
DaveChannon
Employee
Employee
Friday

I'll add a task to document CRSF requirements in general when making browser requests vs external client requests.

64 Views
0 Likes