Error #3009 Forbidden occurs if the user does not have enough permissions to perform any operation. Sometimes this error may appear for a user with administrator privileges. This article contains the procedure for diagnosing the problem and its solution.
Description
When performing any action in the platform, Error #3009 Forbidden is displayed in the interface and the operation is not performed. In this case, the administrator has sufficient permissions to perform the operation.
The specified behavior is possible with administrators created before version 2023.06.1. The error is caused by desynchronization of the auth_user and auth_user_role database tables. The auth_user table assigns the @user role to the administrator and the auth_user_role table assigns the @admin role. As a result, when checking the global role from the auth_user table, the administrator is denied the operation.
To resolve the problem, change the administrator role in the auth_user table.
Solution
There are potential risks involved in altering a database. We do not recommend making manual edits to the database, as it can disrupt the correct operation of the platform.
Create a backup of the platform before performing any actions with the database.
To solve the problem:
- Connect to the server with the platform via SSH.
-
Connect to the database:
docker exec -it mysql bash -c "mysql isp -p\$MYSQL_ROOT_PASSWORD"
-
Get all records with the roles parameter unsynchronized:
SELECT au.id,au.email,au.roles,aur.roles FROM auth_user AS au JOIN auth_user_role AS aur ON au.id = aur.user WHERE au.roles != aur.roles;
Example of output+-----+--------------------------+-----------+------------+ | id | email | roles | roles | +-----+--------------------------+-----------+------------+ | 23 | bill@test.tk | ["@user"] | ["@admin"] | | 237 | t.test@domain.com | ["@user"] | ["@admin"] | +-----+--------------------------+-----------+------------+
-
Synchronize the records:
UPDATE auth_user AS au JOIN auth_user_role AS aur ON au.id = aur.user SET au.roles = aur.roles WHERE au.roles != aur.roles;
Example of outputQuery OK, 2 rows affected (0.01 sec) Rows matched: 2 Changed: 2 Warnings: 0
-
Verify that the roles are synchronized. To do this, run the query again:
SELECT au.id,au.email,au.roles,aur.roles FROM auth_user AS au JOIN auth_user_role AS aur ON au.id = aur.user WHERE au.roles != aur.roles;
The output should be empty.