Error when trying to download files: {"code":4000,"message":"User has no permissions for specified resource","errorData":{}}

ApplicationID = 5479CC4D-5630-3E2A-FF16-B5272776D500

File downloads have stopped working on my app. I have a folder named “reports”. It has read/write/delete permissions true for authenticated users. But after logging in, I still get this error: {“code”:4000,“message”:“User has no permissions for specified resource”,“errorData”:{}}.

Strange thing also: It worked until I cleared my browser data and logged back into my Backendless app.

Hello @Dennis_Nelson

Which API do you use for login and file downloads?

Regards,
Vladimir

Login via codeless login user block
image

From the front end a call is made to a business logic service that creates a file, saves it to the reports folder in files and returns the URL to the front end. The frontend then just displays the URL as a regular hyperlink to click on.

Front end call to business logic service:

Business logic service:
image

Link on the front end:
image

Rendered html:
<a class="bl-link" href="<the rest of the path>/reports/all_work_orders_1641392189739.csv">Click to download</a>

Hello @Dennis_Nelson

Please try adding a user-token to the header.
Documentation: Downloading a File via API
Fetching a file secured by an access control list (ACL) policy requires an additional HTTP header in the request:
user-token: <value>
<value> identifying currently logged in user (if any). This is the value received in the response for the login API request. The token uniquely identifies the user and the roles associated with him. It is used by Backendless to establish user’s identity for all operations where the token is present. It is necessary in order to determine permissions applicable to the user and the roles associated with the account. This header is optional.

Regards,
Vladimir

@Volodymyr_Ialovyi I created a link to the file on a UI page accessible only to logged in users. The fact that the user is logged in is not maintained via a cookie or something and known by the file service? It seemed to have been working that way before I cleared cache/cookies and logged back in.

Are you saying, in order to download a secured file from a website created in UI builder, where the user is logged in, I cannot just include a link, I will have to change the API service to return the actual file instead of the file name?

The fact that the user is logged in is not maintained via a cookie or something and known by the file service?

User session is maintained by the user-token placed in the Local Storage. If a user is logged in, each request to the API will include this token in the request headers.

Are you saying, in order to download a secured file from a website created in UI builder, where the user is logged in, I cannot just include a link, I will have to change the API service to return the actual file instead of the file name?

Yes, because when the user clicks on the file URL, the user-token will not be attached to the request automatically, thus the request will be unauthorized.

Regards,
Stanislaw