Second Admin is no able to add new subscriber

As the owner i can add new subscriber manually. As second Admin i am not allowed. I get the following error in console:

vendor-6b83da0c6e6fede335947219c59e1543.js:7160 Uncaught Error: Request was rejected because user is not permitted to perform this operation.

Ghost v5.78.0
DigitalOcean Droplet

Are you sure the second admin is set up as an administrator, not an editor? Might want to check in settings > staff to be sure.

Yes i am sure!

Bildschirmfoto 2024-02-02 um 16.46.29

So I just tried with my administrator account (using Ghost Pro, so on 5.77 today) and it everything worked fine.

If this is a regression, it’s brand new. Going to spin up a local 5.78 install real quick and see if I can replicate… anyone else see this?

Max, I just tried on 5.79.0, and I can’t replicate the behavior. I made an administrator account, logged out as the owner, clicked the link to activate my new administrator, and added a member successfully from the members part of the dashboard. Caveat: This is a local install. It’s possible the behavior is different in production.

You might want to go ahead and upgrade to 5.79.0 (ghost update). If the problem disappears, great. If it doesn’t, you’ll be reporting a problem with the latest release, which is usually a good idea. :)

I did the update but still every other Admin (i even created new ones) are not allowed to add users. ghost doctor tells me everything is fine.

Request Headers:

Request URL:

https://XXX/ghost/api/admin/members/?include=newsletters%2Clabels

Request Method:

POST

Status Code:

403 Forbidden

Referrer Policy:

strict-origin-when-cross-origin

Can you inspect the network request and look at the body? That should tell you if the 403 is coming from Ghost or if there’s something else in your setup that’s causing it. Quite frequently we see Cloudflare or other security software put in front of a site which then incorrectly blocks requests.

{
    "errors": [
        {
            "message": "Permission error, cannot save member.",
            "context": "You do not have permission to add members",
            "type": "NoPermissionError",
            "details": null,
            "property": null,
            "help": null,
            "code": null,
            "id": "4910b7d0-c40f-11ee-91d9-27d99fb9a364",
            "ghostErrorCode": null
        }
    ]
}

There is no body. Just the response and the response headers:

Access-Control-Allow-Origin:
https://XXX.de
Cache-Control:
no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0
Content-Length:
266
Content-Type:
application/json; charset=utf-8
Content-Version:
v5.79
Date:
Mon, 05 Feb 2024 10:14:02 GMT
Etag:
W/"10a-5OqHRfzmVQr9qSEPEyPblI2Hl28"
Server:
nginx/1.18.0 (Ubuntu)
Vary:
Accept-Version, Origin, Accept-Encoding
X-Powered-By:
Express

It’s a DIGITAL OCEAN droplet and no cloudflare. As the owner of the site i can easily add members, but not any Admin.

@Cathy_Sarisky @Kevin any more ideas? :(

I’m struggling to come up with an idea that breaks specifically this route and no others and that doesn’t also break it for the owner.

Just to confirm: Other admin functionality is fine? Change the theme? Add navigation?

And: can we rule out the possibility that this is some sort of browser security settings misbehavior? Does the problem persist on another device (or at least in another browser)?

Yes, all other functionalities can be edited and saved.
Browser is not the problem. Tried multiple devices and browser.
Can i somehow overwrite the permissions for admin only?

do you got a change to think about it?

Hopefully Kevin will have an idea for you. I don’t feel qualified to tell you how to hack the Ghost database. :slight_smile:

Just thinking… have you tested the classic clear cache, delete all cookies, try different browser/machine and re-login on ghost? There’s always the quantum flux thing where a bit gets flipped due to solar storms and black-swan events and related madness.

I spent 48 hrs trying to get a video to render - it would crash randomly until I ran it with the render-server case open and … it was a heating problem - got an industrial floor fan blowing into the case, and it rendered. Memorable event.

@Kevin :slight_smile: do you have any ideas?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.