Non admin users can make requests to api ? Like changing settings, appearance of application etc.
Usecase:- In /api/settings api its documented as "If called by a non-superuser, only user-local settings can be updated."
But when i try to hit with non admin user with api key its still gives me 403,
If i assign non-admin user a setting permission, and try to hit api , it gives 204, but it changes settings for all users not with specific user
Can you share with me the API request and parameters you're passing?
That shouldn't be the case and I tried to hit an Admin Setting with a non-Admin user and it fails ... So i am curious what is the request you're passing.
Are you using an API key to do so or a session token (if using a session token I would highly recommend you using an API key cause you might be getting an Admin user session token) ... Also the metabase version please
I am using below request with api key
curl /api/setting/ \
--request PUT \
--header 'Content-Type: application/json' \
--data '{
"application-colors": {
"brand": "#FF0000",
"summarize": "#FF003B",
"filter": "#000000",
"accent0": "#FF0005"
}
}'
Even on UI , if i give non admin user the settings permission, if he try to change application colors on appearance section it changes for all users.
Oh now i get you you mean an Application Permission and setting specifically a setting permission. My bad sorry.
So yes that is by design if you give setting access essentially a non admin user can edit any setting he wants. For reference:
It means the changed values its applied to all users even if its changed by non admin user?
Any setting inside the setting page is an instance setting .. So it will change the instance as a whole, what that permission does is that you allow a non-admin user to perform such changes
Okay Thank you so much TonyC
1 Like