cancel
Showing results for 
Search instead for 
Did you mean: 
sam_ofloinn
Community Member

Why does "api/v1/users/self" refer to only the same account every time?

Jump to solution

In Laravel, I'm creating my own page, where I want to check if the user is a Canvas admin. If so, they have permission to see the page. Else, they're redirected. In each case, both pages reveal the full information of the user's account (just for testing purposes), so I know for sure which user it's looking at.

public function pagePermissions() {
     $self = self::getSelf();
     $admins = self::getAdmins();
     $isAdmin = self::isAdmin($self, $admins);
     if($isAdmin) {
          echo "True!";
          return view("yesAdmin")
          ->with("isAdmin", $isAdmin)
          ->with("self", $self);
     } else {
          echo "False! YOU AREN'T AN ADMIN.";
          return view("notAdmin")
          ->with("isAdmin", $isAdmin)
          ->with("self", $self);
     }
}

private function getAdmins() {
     $adminsURL = "https://my.test.instructure.com/api/v1/accounts/1/admins?per_page=20";
     $curl = curl_init();
     self::requestCurl($curl, $adminsURL, $this->headers); //does cURL request on above URL
     $resp = curl_exec($curl);
     return self::setHeaders($curl);
}

private function getSelf() {
     $selfUrl = "https://my.test.instructure.com/api/v1/users/self";
     $curl = curl_init();
     self::requestCurl($curl, $selfUrl, $this->headers); //does cURL request on above URL
     $resp = curl_exec($curl);
     return self::setHeaders($curl);
}

private function isAdmin($user, $admins) {
     foreach ($admins as $a) {
          if ($a["user"]["sis_user_id"] == $user["sis_user_id"]) {
               echo "Users match!";
               return True;
          }
     }
     return False;
}


As my code above shows, my method of finding the admins to compare to is by querying the admin endpoint: ``https://my.test.instructure.com/api/v1/accounts/1/admins?per_page=20``

I identify the user by querying this endpoint: ``https://my.test.instructure.com/api/v1/users/self``

Then I compare the two by similar values (sis_id, email, etc.) and see if they relate. If they do, great.

Now, my testing works like this: I log in as my admin account. I visit the page. Since my admin account is among the admin lists, it works.

The problem starts when I then log out and log into my second account, a test non-admin one, and visited this page again. It was still permitted. In fact, "users/self" didn't look at my non-admin account at all. It was only returning my admin account.

Lastly I logged out of both accounts and visited as some anonymous user. It...still permitted me, and showed me the full

Does anyone know why Canvas does this?

TL;DR why is the "api/v1/users/self" endpoint always giving me the same result?

Labels (3)
1 Solution

Accepted Solutions
robotcars
Navigator

Lee,‌

self is an alias for the current user or account.

Users - Canvas LMS REST API Documentation 

Throughout this API, the :user_id parameter can be replaced with self as a shortcut for the id of the user accessing the API. For instance, users/:user_id/page_views can be accessed as users/self/page_views to access the current user's page views.

To get other users, you have to get their :user_id and add it to the request.

Accounts - Canvas LMS REST API Documentation 

Returns permission information for the calling user and the given account. You may use `self` as the account id to check permissions against the domain root account. The caller must have an account role or admin (teacher/TA/designer) enrollment in a course in the account.

View solution in original post

4 Replies
robotcars
Navigator

Lee,‌

self is an alias for the current user or account.

Users - Canvas LMS REST API Documentation 

Throughout this API, the :user_id parameter can be replaced with self as a shortcut for the id of the user accessing the API. For instance, users/:user_id/page_views can be accessed as users/self/page_views to access the current user's page views.

To get other users, you have to get their :user_id and add it to the request.

Accounts - Canvas LMS REST API Documentation 

Returns permission information for the calling user and the given account. You may use `self` as the account id to check permissions against the domain root account. The caller must have an account role or admin (teacher/TA/designer) enrollment in a course in the account.

View solution in original post

Robert, thank you for your reply.

self is an alias for the current user or account.

From my understanding of the documentation, can this not mean to refer to any other user? i.e anyone in the world, not just one user?

To get other users, you have to get their :user_id and add it to the request.

I also understand this, and I know this works. However, I want my program to discriminate between the different kinds of current users that'd reply. It should not see just my account when someone else tries to log on. Given that the project is currently bound to a local machine, I can't test it off another computer, but I suppose I don't understand how exactly users/self reads the current ID. I thought it was the currently logged in user, which is why I logged into a separate user after trying the program once - but yet it still gave me the first one, the admin account one. So I suppose my problem is, I don't understand how the information you are highlighting changes things.

Is your program using a API token bound to your account, or OAuth?

If you're using OAuth, self should refer to the current user, if all API requests are going through your token, the user is you.

Robert,

It's using an API token bound to my account, indeed. I would like to use OAuth, and the best way I know how is with the Laravel library "Passport", but there seems to be no documentation on configuring it with Canvas. So I'm very confused on how they should interact.