NoPermissionError (403) using api.posts.browse with options


Hello. I have a self-hosted Ghost blog and I am trying to add some custom functionality to my custom theme. I know “Apps” is not an officially supported feature (yet), but I have been finding them useful in extending the core functionality of Ghost and things seem to be working, until I hit this recent wall. Hoping someone with more knowledge about the platform can point me in the right direction.

So in my custom “app”, I am using the ghost proxy object to get a reference to the api object. The following line of code work like a charm and I am able to load all posts in my blog.

const postsResult = await ghost.api.posts.browse()

However, as soon as I add any options to that call, I get a NoPermissionError (403) error. For example:

// load all posts and include "tags"
const postsResult = await ghost.api.posts.browse({ include: 'tags' })

It doesn’t matter what options I pass in. Even an empty {} will trigger the error. I’ve tried to trace the code to try and figure out why this is happening, but no luck. Any help will be greatly appreciated! I’ve included the full stacktrace of the error from my logs below.

Note: using latest version of Ghost (1.24.8)

Thank you,

{ NoPermissionError: You do not have permission to perform this action
    at new NoPermissionError (/blog/node_modules/ghost/node_modules/ghost-ignition/lib/errors/index.js:108:23)
    at Function.permissible (/blog/node_modules/ghost/core/server/models/relations/authors.js:356:35)
    at /blog/node_modules/ghost/core/server/services/permissions/can-this.js:93:40
From previous event:
    at Object.objTypeHandlers.(anonymous function) [as post] (/blog/node_modules/ghost/core/server/services/permissions/can-this.js:50:35)
    at doHandlePublicPermissions (/blog/node_modules/ghost/core/server/api/utils.js:183:86)
    at runTask (/blog/node_modules/ghost/core/server/lib/promise/pipeline.js:16:24)
    at /blog/node_modules/ghost/core/server/lib/promise/pipeline.js:26:20
From previous event:
    at /blog/node_modules/ghost/core/server/lib/promise/pipeline.js:25:24
    at runCallback (timers.js:789:20)
    at tryOnImmediate (timers.js:751:5)
    at processImmediate [as _immediateCallback] (timers.js:722:5)
From previous event:
    at pipeline (/blog/node_modules/ghost/core/server/lib/promise/pipeline.js:23:30)
    at Object.browse (/blog/node_modules/ghost/core/server/api/posts.js:72:16)
    at Object.memo.(anonymous function) [as browse] (/blog/node_modules/ghost/core/server/services/apps/proxy.js:63:38)
    at Object.ghost.helpers.register (/blog/content/apps/tags-subnav/index.js:9:51)
    at <anonymous>
  statusCode: 403,
  errorType: 'NoPermissionError',
  level: 'normal',
  message: 'You do not have permission to perform this action',
  id: '657dd870-8c62-11e8-aa67-419774c85c60',
  context: undefined,
  help: undefined,
  name: 'NoPermissionError',
  errorDetails: undefined,
  code: null,
  property: null,
  redirect: null,
  hideStack: undefined }


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.