VMmanager Knowledge Base

Error #3009 Forbidden under administrator account

Error #3009 Forbidden occurs if the user does not have enough permissions to perform any operation. Sometimes this error may appear for a user with administrator privileges. This article contains the procedure for diagnosing the problem and its solution.

Description

When performing any action in the platform, Error #3009 Forbidden is displayed in the interface and the operation is not performed. In this case, the administrator has sufficient permissions to perform the operation.

The specified behavior is possible with administrators created before version 2023.06.1. The error is caused by desynchronization of the auth_user and auth_user_role database tables. The auth_user table assigns the @user role to the administrator and the auth_user_role table assigns the @admin role. As a result, when checking the global role from the auth_user table, the administrator is denied the operation.

To resolve the problem, change the administrator role in the auth_user table.

Solution

There are potential risks involved in altering a database. We do not recommend making manual edits to the database, as it can disrupt the correct operation of the platform.

Create a backup of the platform before performing any actions with the database.

To solve the problem:

  1. Connect to the server with the platform via SSH.
  2. Connect to the database:

    docker exec -it mysql bash -c "mysql isp -p\$MYSQL_ROOT_PASSWORD"
  3. Get all records with the roles parameter unsynchronized:

    SELECT au.id,au.email,au.roles,aur.roles FROM auth_user AS au JOIN auth_user_role AS aur ON au.id = aur.user WHERE au.roles != aur.roles;
    Example of output
    +-----+--------------------------+-----------+------------+
    | id  | email                    | roles     | roles      |
    +-----+--------------------------+-----------+------------+
    | 23  | bill@test.tk             | ["@user"] | ["@admin"] |
    | 237 | t.test@domain.com        | ["@user"] | ["@admin"] |
    +-----+--------------------------+-----------+------------+
  4. Synchronize the records:

    UPDATE auth_user AS au JOIN auth_user_role AS aur ON au.id = aur.user SET au.roles = aur.roles WHERE au.roles != aur.roles;
    Example of output
    Query OK, 2 rows affected (0.01 sec)
    Rows matched: 2  Changed: 2  Warnings: 0
  5. Verify that the roles are synchronized. To do this, run the query again:

    SELECT au.id,au.email,au.roles,aur.roles FROM auth_user AS au JOIN auth_user_role AS aur ON au.id = aur.user WHERE au.roles != aur.roles;

    The output should be empty.