Code Injection / error "Request was rejected because user is not permitted to perform this operation"

Hi. I’m getting error “Request was rejected because user is not permitted to perform this operation” when I try to add a script using Code Injection.
The script I’m adding is a simple JSON-LD of FAQ Schema, but it doesn’t matter which script I’m trying to add, including an empty tag.

Details:

Steps to reproduce:

  1. Edit post
  2. Settings → Code Injection → Post Header
  3. Enter text Observe: no error
  4. Enter text Observe error “Update failed: Unknown Error”
  5. Attempt to update site. Observe error " Request was rejected because user is not permitted to perform this operation"

Expected: Ghost should allow me to enter a script in the header

Help needed: what do we need to check with our installation of Ghost that could cause this problem?

Would you be able to share the code you’re trying to add?

Thanks :blush:

Yes. Super simple, it doesn’t matter what I’m adding. Even adding an empty script fails:

The original script I’m trying to add is the one below, but again, it doesn’t matter what I’m adding, any script fails:

<script type="application/ld+json">{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is VisionLink?","acceptedAnswer":{"@type":"Answer","text":"VisionLink is a telematics platform, built by Caterpillar and Trimble. It's predominately used to track Caterpillar assets, but can also be used to connect assets from other manufacturers."}},{"@type":"Question","name":"","acceptedAnswer":{"@type":"Answer","text":""}}]}</script>

From re-reading the error it could be down to your user permissions the user you’re logged in as. Are you able to sign out and ensure you’re signed in as the right user? You’ve also missed out what version of Ghost you are using, this would be helpful for debugging :slight_smile:

Hi David, I’m signed in as owner, so I think should have all permissions required. We’re using version 3.2.0 - here are the details I put in the original post.
System is installed using AWS Lightsail and Bitnami, all permissions default, we touched nothing.

Details:

We created a brand new installation, which fixed the issue. Not sure what caused it in the first place.

1 Like

For anyone else that comes across this issue and uses Cloudflare, it turns out this API might be blocked by the Cloudflare WAF if it contains a <script> tag or other HTML code. You can create a firewall rule that bypasses the firewall for the URI ghost/api/v3/admin/settings/ to fix the issue.

2 Likes