Giving permissions to guests group

What is the problem?

Trying to enable basic permissions (STATUS and WEBCAM only) to the guests group. This is preferable to auto-login as the primary printer functions are still walled off. The results are being used in a dashboard used across 12 Ender 3 printers. We could create an API key on every single printer with restricted permissions, but that seems annoying. If this is simply not possible, that will be the way we go.

What did you already try to solve it?

Ran the following in a shell:

curl -d '{"permissions":["STATUS","WEBCAM"]}' -H 'Content-Type: application/json' -X PUT \
    'http://localhost/api/access/groups/guests?apikey=...'

(this can be completely automated by having a script scrape the apikey)

This causes the groups.yaml file to be created and it has those two permissions in it for guests. However, when trying to run another request such as /api/printer it fails with a 403 {"error":"You don't have the permission to access the requested resource. It is either read-protected or not readable by the server."} but with an API key, it works. The /api/currentuser call gives the following:

{"groups":["guests"],"name":null,"permissions":["STATUS","WEBCAM"]}

So it is seeing the permissions for guests, just not "believing" them. I have also tried restarting the octopi service.

Systeminfo Bundle

Currently, only have command line access, and neither octoprint systeminfo -b .octoprint -v nor octoprint systeminfo -b .octoprint -v /home/pi produce any output (but they run for quite some time). No files saved, no messages printed out, nothing.

Additional information about your setup

OctoPrint version: 1.8.1
OctoPi version: 0.18.0
OS: Raspbian GNU/Linux 10 (buster)

I can't reproduce this issue, it works fine for me to add the status permission to guests, logout and then access /api/printer in the browser. see update below, I was wrong

Did you complete the setup wizard on this instance? The parts of the post about having no GUI access make me wonder if there is no admin user setup yet, so the permissions system is not up and running.


UPDATE: When you don't use an API key, you need to 'login' a user - guest access doesn't seem to get around that.

Before accessing /api/printer, it works to send a POST to /api/login with the body {"passive": "true"} (docs). Then a session cookie is set (for a 'guest' user) and you can then GET /api/printer.

This is not completely clear behaviour, and there might be a bug in there. Especially as it seemed to work initially when I logged out of the browser, indicating that maybe even an invalid cookie works to allow guest access. I don't know why it needs a cookie for that, but I am just playing spot-the-difference.

EDIT 2: When you log out, you are given a different cookie - which works for guest access. This explains that behaviour, and doesn't seem like a bug.

To make it completely clear in case my investigation rambling is not - you either need an API key or a cookie, which can be obtained from POST /api/login, even for a passive request. Just requesting with nothing will not work for endpoints needing permissions.

Okay, I will try that. By the way, I did finish setup, it's just that the machine was on a different network at the time that I could SSH to but not HTTP to (I could have done port forwarding I guess, but didn't think about that).

I can get a system bundle now from the website (still not working on the terminal...).

So this does work with curl! However, I was about to migrate to using a website, and I remembered this art from the documentation:

For security reasons, OctoPrint will not set the Access-Control-Allow-Credentials header, even if CORS support is enabled. That means that cookies will not be sent by the browser to OctoPrint, effectively making it impossible to authenticate through the login mechanism (or reusing an existing login session). When accessing OctoPrint via CORS, you’ll therefore always need to use an API key.

So you have solved how to access it from anywhere but a browser (using a POST to /api/login) but ultimately this is going to need an API key. I can probably set up something to distribute the same restricted API key to all configuration files in all pis.

Thanks for your help!

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.