Why does "api/v1/users/self" refer to only the same account every time?

Jump to solution
Community Novice

In Laravel, I'm creating my own page, where I want to check if the user is a Canvas admin. If so, they have permission to see the page. Else, they're redirected. In each case, both pages reveal the full information of the user's account (just for testing purposes), so I know for sure which user it's looking at.

public function pagePermissions() {
     $self = self::getSelf();
     $admins = self::getAdmins();
     $isAdmin = self::isAdmin($self, $admins);
     if($isAdmin) {
          echo "True!";
          return view("yesAdmin")
          ->with("isAdmin", $isAdmin)
          ->with("self", $self);
     } else {
          echo "False! YOU AREN'T AN ADMIN.";
          return view("notAdmin")
          ->with("isAdmin", $isAdmin)
          ->with("self", $self);

private function getAdmins() {
     $adminsURL = "https://my.test.instructure.com/api/v1/accounts/1/admins?per_page=20";
     $curl = curl_init();
     self::requestCurl($curl, $adminsURL, $this->headers); //does cURL request on above URL
     $resp = curl_exec($curl);
     return self::setHeaders($curl);

private function getSelf() {
     $selfUrl = "https://my.test.instructure.com/api/v1/users/self";
     $curl = curl_init();
     self::requestCurl($curl, $selfUrl, $this->headers); //does cURL request on above URL
     $resp = curl_exec($curl);
     return self::setHeaders($curl);

private function isAdmin($user, $admins) {
     foreach ($admins as $a) {
          if ($a["user"]["sis_user_id"] == $user["sis_user_id"]) {
               echo "Users match!";
               return True;
     return False;

As my code above shows, my method of finding the admins to compare to is by querying the admin endpoint: ``https://my.test.instructure.com/api/v1/accounts/1/admins?per_page=20``

I identify the user by querying this endpoint: ``https://my.test.instructure.com/api/v1/users/self``

Then I compare the two by similar values (sis_id, email, etc.) and see if they relate. If they do, great.

Now, my testing works like this: I log in as my admin account. I visit the page. Since my admin account is among the admin lists, it works.

The problem starts when I then log out and log into my second account, a test non-admin one, and visited this page again. It was still permitted. In fact, "users/self" didn't look at my non-admin account at all. It was only returning my admin account.

Lastly I logged out of both accounts and visited as some anonymous user. It...still permitted me, and showed me the full

Does anyone know why Canvas does this?

TL;DR why is the "api/v1/users/self" endpoint always giving me the same result?

Labels (3)
1 Solution
Community Champion


self is an alias for the current user or account.

Users - Canvas LMS REST API Documentation 

Throughout this API, the :user_id parameter can be replaced with self as a shortcut for the id of the user accessing the API. For instance, users/:user_id/page_views can be accessed as users/self/page_views to access the current user's page views.

To get other users, you have to get their :user_id and add it to the request.

Accounts - Canvas LMS REST API Documentation 

Returns permission information for the calling user and the given account. You may use `self` as the account id to check permissions against the domain root account. The caller must have an account role or admin (teacher/TA/designer) enrollment in a course in the account.

View solution in original post