Description
POST to api/point_value/setValue returns 403 Forbidden for non-admin users,
even when the user has set permission on the datapoint.
GET api/point_value/getValue works fine for the same user.
Steps to reproduce
- Log in as a non-admin user
- Open a view containing an HTML widget
- Execute the following fetch from the browser console (F12):
fetch("/Scada-LTS/api/point_value/setValue/DP_670528/4/", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: "OFF"
});
Expected behavior
200 OK — same as admin user
Actual behavior
403 Forbidden
Additional context
- Works fine when logged in as admin
- GET getValue works fine for non-admin
- The same non-admin user can set the same datapoint value via:
- the Watch List UI
- a Button component (script)
- So the user permissions on the datapoint are correct
- This issue seems specific to the HTML widget fetch API
- Tested with header X-Requested-With: XMLHttpRequest → still 403
- Tomcat log only shows: POST /Scada-LTS/api/point_value/setValue/... 403 644
- No additional detail in catalina.out
Environment
- Scada-LTS version : v2.7.8.1 build 1417689912
- Browser : Brave (Chromium 147), Chrome
Description
POST to
api/point_value/setValuereturns 403 Forbidden for non-admin users,even when the user has set permission on the datapoint.
GET
api/point_value/getValueworks fine for the same user.Steps to reproduce
fetch("/Scada-LTS/api/point_value/setValue/DP_670528/4/", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: "OFF"
});
Expected behavior
200 OK — same as admin user
Actual behavior
403 Forbidden
Additional context
Environment