Unable to Add Google Analytics - Permission Denied

I am not able set Google Analytics on latest Ghost via Admin portal
I am logged in as owner.

I get following error on Portal:
Request was rejected because user is not permitted to perform this operation.

I can see following on console:
vendor.min-282049bc47541e65478dbcc6234e9fa0.js:9075 Uncaught (in promise) Error: Request was rejected because user is not permitted to perform this operation.
at e._createCorrectError (vendor.min-282049bc47541e65478dbcc6234e9fa0.js:9113)
at e.handleResponse (vendor.min-282049bc47541e65478dbcc6234e9fa0.js:9111)
at e.handleResponse (ghost.min-259151d0b5b21fc561f490072435c634.js:1808)
at e.n [as handleResponse] (vendor.min-282049bc47541e65478dbcc6234e9fa0.js:2361)
at e. (vendor.min-282049bc47541e65478dbcc6234e9fa0.js:9100)
at l (vendor.min-282049bc47541e65478dbcc6234e9fa0.js:622)
at Object.fireWith [as rejectWith] (vendor.min-282049bc47541e65478dbcc6234e9fa0.js:623)
at A (vendor.min-282049bc47541e65478dbcc6234e9fa0.js:906)
at XMLHttpRequest. (vendor.min-282049bc47541e65478dbcc6234e9fa0.js:917)

On Network inspection:
I get 403 forbidden

I have restarted ghost server. Still same issue.

Url: https://eng.blackbuck.com
Ghost-CLI version: 1.14.1
Ghost version: 3.34.1 (at /var/www/ghost)
Node version: v12.18.4
Browser: Chrome Version 85.0.4183.121 (Official Build) (64-bit)
Server OS: Ubuntu 16.04 hosted on AWS

Goto Settings-Code Injection
Paste following Site Header

<script async src="https://www.googletagmanager.com/gtag/js?id=<My-Id>"></script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', <My-Id>);

PS: My-Id is replaced by my actual site tag given by Google Analytics

I have solved this:

I logged into Mysql
In permissions table of my ghost DB, I figured out what all permissions are there


5f75c0b5b9dd9b65de33450d | Browse integrations | integration | browse | NULL | 2020-10-01 11:42:45 | 1 | 2020-10-01 11:42:45 | 1 |

| 5f75c0b5b9dd9b65de33450e | Read integrations | integration | read | NULL | 2020-10-01 11:42:45 | 1 | 2020-10-01 11:42:45 | 1 |

| 5f75c0b5b9dd9b65de33450f | Edit integrations | integration | edit | NULL | 2020-10-01 11:42:45 | 1 | 2020-10-01 11:42:45 | 1 |

| 5f75c0b5b9dd9b65de334510 | Add integrations | integration | add | NULL | 2020-10-01 11:42:45 | 1 | 2020-10-01 11:42:45 | 1 |

| 5f75c0b5b9dd9b65de334511 | Delete integrations | integration | destroy | NULL | 2020-10-01 11:42:45 | 1 | 2020-10-01 11:42:45 | 1 |

I when into user table, I checked what is the Id of my user. In this case I was the owner and id = 1

I browsed through permissions_roles table and found that for the role assigned to owner, there are no entries in this table.
Not sure if this means by default owner has all roles and its interpreted in that manner. But since browser was saying access denied, I added these to permissions_roles table

INSERT INTO permissions_roles VALUES (“1”, “5f75c0b5b9dd9b65de3344dd”, “5f75c0b5b9dd9b65de334510”);

INSERT INTO permissions_roles VALUES (“2”, “5f75c0b5b9dd9b65de3344dd”, “5f75c0b5b9dd9b65de33450f”);

Post this, Its stared working.
Looks like this is a bug where if role is owner this DB check shouldn’t have been done. But since its being done, adding this permission to owner role solved it. In which case, these should be pre-added during installation

This issue has happened again. Not just in Code injection now, but for other pages as well. Now not able to unpublish few posts. Also not able to edit already Injected Script in the head

Any idea why this is happening?
I have also reverted my previous changes and tested again. But its not working.

Have you checked your site’s logs to see if it’s Ghost that’s sending a 403? Is it possible you have some security software sitting somewhere that’s seeing the script tags and rejecting requests?

I checked this. I also saw old blog which stated things on WAF. My load balancer had WAF enabled on AWS which was blocking these requests.
Post routing all my calls from load balancer which doesnt have any WAF enabled, this seems to be solved.
But I am still puzzled as to how it intermittently started working when permissions_roles were added