Forbidden error 403 when a non-admin user loads a LookbackAPI chart that scoped to include closed projects

Document ID : KB000057608
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue

Non-workspace-admin users who used to have access to the currently closed project before it was closed can get the historic data, but the non-admin users, including project admins of different projects created after the project was closed, get a 403 error.

This scenario was tested with Project Cumulative Flow and? Portfolio Item Cumulative Flow .

Below are the details of the environment and the steps to replicate.

Here is the project tree:

User-added image

1. As an administrator, add the app to a custom page in top project "Sample Project", and make it shared.

User-added image

2. Load the app. Global project scoping affects data. This screenshot shows the chart when items from child projects are included:

User-added image

This screenshot shows the same chart when items from child projects are not included:

User-added image

There is one accepted story in child project "SP C2" that is responsible for the green spike in the first screenshot. Here is the same chart on the "SP C2" project level:

User-added image

We concentrate on this user story because in the next step the project "SP C2" will be closed by the workspace administrator.

2. Close a project that contains one of the stories that is included in the data returned by the chart.

User-added image

Here is workspace administrator's view after the filter was changed from default settings (to show only open projects) to show all projects:

User-added image

3. Reload the same chart while still logged in as a workspace administrator.

Notice that the chart looks exactly the same as before one of the child projects was closed:

User-added image
4. Test the chart using regular editor's account.

We choose a user that currently does not have access to this workspace. Another similar scenario is when a new user is created that never had access to the closed "SP C2" project.
Screenshot below shows user Temp U which does not have access to "NM 1" workspace where "Simple Project" and its children are located.

User-added image

A workspace administrator grants this user access to this workspace and editor rights to "Sample Project" and its only open child project:

User-added image

Login to CA Agile Central using Temp U user's credentials and load the app.

User-added image

Here is the error in the javascript console of the browser's Dev Tools:


User-added image

Here is the closeup of the error in the console:

User-added image

? There is a more informative? message in the DevTools>Network>Response, but it does not include Object IDs of inaccessible projects:

{"_rallyAPIMajor":"2","_rallyAPIMinor":"0","Errors":["Authorization Error: Your request requires access to projects for which you do not have permission.? Contact your subscription administrator to request permission or add removeUnauthorizedSnapshots=true to the request parameters."],"Warnings":[]}

User-added image
?

Resolution

Unfortunately Lookback API (LBAPI) does not remove closed projects inaccessible to a given user from the query's scope.

Even though it is possible to workaround this issue by promoting the user to workspace administrator rights this is rarely an acceptable workaround. Also, if another user with sufficient permissions moves a story from a closed project to an open project, this will not change the outcome for the non-admin user, which will continue to receive a 403 error. As Lookback API documentation states, the past is unchangeable.

Workaround:

1. A subscription or workspace admin reopens the closed project

2. A subscription or workspace admin gives access to this project to the affected user.

This screenshot shows the editor's access after the project was reopned, but before access to it is granted:

User-added image

The user is granted editor rights:

User-added image

3. A subscription or workspace admin closes the project again.

4. At this point the non-admin, editor user Temp U will reload the app successfully:

User-added image
A couple of details apparent from the screenshot:
a) the same Accepted story from the closed project is represented by the green spike
b) as expected, the closed project is not available in the project tree in the upper left corner of the screen