This is the warning I get when trying to edit fields on Code Injections page:
Request was rejected because user is not permitted to perform this operation.
Version: 3.28.0
Account: Me, Owner.
What I’ve tried: Updated to latest ghost version. Logged in/out.
Anyone else have this problem?
Update.
So, I just deleted everything in my input fields and it saves.
If I try and add ANY code it doesn’t save.
So now I have a broken site which is not great.
Adding code the template files for now 
I even tried creating a new admin user. That didn’t work either.
More Testing
Hoping this might help someone point me in the right direction…
If I add the following to header or footer - it saves.
<!-- Google Ad Manager -->
If I add any actual scripts like the following to header or footer - it does not save.
<script async src="https://securepubads.g.doubleclick.net/tag/js/gpt.js"></script>
@simonmc can you try in an incognito window or a different browser to eliminate any security/privacy extensions interfering?
Thanks for the suggestion @Kevin.
I tried incognito in Chrome, Safari and Firefox. No luck.
No idea if this helps, but this is the error I get when it fails.
Failed to load resource: the server responded with a status of 403 () https://discover.therookies.co/ghost/api/v3/admin/settings/
Vendor.js: Unhandled Promise Rejection: Error: Request was rejected because user is not permitted to perform this operation.
I have built a new Ghost installation using Digital Ocean and their 1-Click-App.
I installed * Version 3.35.2.
Out of the box, absolutely untouched with Casper theme, I still can’t inject any code to a post or to the header/footers.
Any ideas what I can do here?
Adding console errors that will hopefully help…
Assertion failed: Input argument is not an HTMLInputElement
PUT https://****/ghost/api/v3/admin/settings/ 403
`Error: Request was rejected because user is not permitted to perform this operation.`
Btw, I’m the only staff on the site are me(admin) and ghost.
Where it gets a little insane is that I can add <style> to the header/footer, but the moment I write the word <script> the page throws the warning!?
Do you have any firewalls on the droplet or a cdn/security service sitting in front? It sounds like something is blocking what it thinks is “unsafe” content in the request.
Another thing to check is any security software on your computer, are you able to try from a different device? Testing from a phone/tablet connected to a different network (4g instead of wi-fi for example) could help determine if it’s a problem specific to your computer
Oh man! That totally makes sense!! I have everything running through Cloudflare.
Heading over there now to see if anything looks like the culprit.
@Kevin I owe you big time!
This has been driving me crazy for months, across 4 different installations of Ghost.
I just added a page rule in Cloudflare to disable the firewall when trying to access ‘/ghost/api/v3/admin/settings/’ and I can now save code injections.
My only question now is… is this safe? 
In general, yes, it’s safe unless you have a specific need that warrants a firewall. Only you can know if it’s necessary based on how you are hosting, who has access, which networks your traffic is passing through, etc.
Same thing happened after I made my NGINX server safer. No extra allowed.
@Kevin You redirected me here from Request was rejected because user is not permitted to perform this operation
My problem is not the same: here it is to inject code. I actually used this solution (on Cloudflare firewall) and it worked.
However I still have the error message when trying to edit an old post.
The problem and solution is the same across the board. If you copied the page rule directly from above rather than adapting it to your situation then it will only work for saving code injection.
It’s recommended to have the firewall disabled for all of /ghost/* to avoid problems but if you need it then you should adapt your firewall rules to suit.