I'm trying to access ejabberd rest api without authentication but always get a 403 Forbidden response with this body :
{
"status": "error",
"code": 32,
"message": "AccessRules: Account does not have the right to perform the operation."
}
I cannot get an OK response on /api/status endpoint which is a command that all users from 127.0.0.1 should be able to use (see "public commands" section under api_permissions in ejabberd.yml).
Here's the request details (via Insomnia REST client):
> POST /api/status HTTP/1.1
> User-Agent: insomnia/5.1.0
> Host: localhost:5280
> Accept: */*
> Accept-Encoding: deflate, gzip
> Content-Type: application/json
> Content-Length: 2
| {}
Ejabberd version is 17.04, installed from a downloaded deb package and running on Debian 8.8 (jessie) x86_64 as ejabberd user.
Post install, I simply added the host "localhost", registered a new user "admin" for localhost and added it to the ACLs.
The only changes I made into ejabberd.yml :
hosts:
- "localhost"
acl:
admin:
user:
- "admin": "localhost"
Otherwise, I can access the webadmin interface which works fine...
What can I do in order to have a 200 OK response ?
Ok I found the solution. Like the message said it was a permission issue.
Here's the default configuration :
This does not allow to access to
statusorconnected_users_numbercommands with or without authentication (I triple-checked).For a no authentication usage, use
-all:If you want to require a valid user (with basic authentication), replace
- allby- access: local.