As your documentation says I have created a view-only user with a token and when using that token to show a widget I'm getting an error saying "This user has superuser access". It works if I load the same url while logged out or in another browser. Seems odd if it shouldn't work since this should be a fairly common case.
It should be possible to show the widget even if you are currently logged in as a super user in the same browser.
Error message saying
"This user has super user access. For embedding widgets super user token auths are not allowed. See our faq for more information."
I have tried to follow the code and it seems that when using the token_auth parameter there is a call to the method Request::reloadAuthUsingTokenAuth
eventually landing in Access::reloadAccess
, however it return without reloading since $this->hasSuperUserAccess
is still true from the session auth.
We are trying to embed widgets in an external dashboard.
I'm running your latest docker image.
Hi @carlgrundberg, thanks for creating this issue. Very appreciated.
I've just tried it and I was able to reproduce this.
It is definitely a bug. Sorry about it, we’ll do our best so we can hopefully get things sorted soon.
I tried it with admin user as well and got another error message:
This user has at least some write access. Only tokens of users who have only view access can be used.
The token I used was a view
token.