So frustrated. "Request was rejected because user is not permitted to perform this operation"

All I want to do is add a photo into my blog in the editor. I am an admin of the account. I keep getting the same error. There is no reason this should be happening. Please help.

1 Like

Well, that shouldn’t happen! Maybe you can share whether you’re on a hosted version of Ghost (which one, if so), or how you installed Ghost, if self hosted.

It’d also be helpful to see any errors in the console log - press F12 in the browser and then switch over to console. If self hosted, what errors do you see in the Ghost logs on the server?

I assume the problem is ongoing, not just one time? If you refresh the page, does the behavior resolve?

You’re not running any privacy blockers or in incognito mode, right? That message is consistent with Ghost not recognizing the user making the request…

Same issue for me, self-hosted ghost instance. Running on Digital Ocean, used their installation guide. Running for over 4 years. This issue started after upgrade 5.72.0 (I believe), at least I couldn’t upload images or videos after that point. I’ve run ghost doctor, no issues found. I’ve looked at permissions.

I can upload images to a gallery, but when I upload images to a gallery, they do not appear on preview and they are not saved in the draft (if I exit the edit mode).

This is also true for files. I can upload, but they don’t actually upload.

I am also using Cloudflare and suspected a configuration change in Cloudflares Managed Rulesets might be the cause of my issue. By disabling Cloudflare on this domain (not simply the caching), image upload worked. So I investigated further.

It appears there is a conflict with the OWASP default ruleset used by Cloudflare. Setting the OWASP Anomaly Score to Medium (40 and higher) and the Paranoia Level to PL1, seems to enable uploads. I was originally configured for High (25 and higher) and PL2. I believe those were “default settings” for Cloudflare. Perhaps a ticket should be submitted to Cloudlfare to look at their default WAF Managed rulesets.

Hope this helps anyone else facing this issue.

1 Like

Thanks for reporting back. “Turn off the caching and extra security stuff” is often good advice for ruling out what’s a Ghost bug and what’s a problem with something between you and Ghost.

1 Like