AnsweredAssumed Answered

Why does "api/v1/users/self" refer to only the same account every time?

Question asked by Lee Newton on Nov 5, 2019
Latest reply on Nov 6, 2019 by Lee Newton

In Laravel, I'm creating my own page, where I want to check if the user is a Canvas admin. If so, they have permission to see the page. Else, they're redirected. In each case, both pages reveal the full information of the user's account (just for testing purposes), so I know for sure which user it's looking at.

  

public function pagePermissions() {
     $self = self::getSelf();
     $admins = self::getAdmins();
     $isAdmin = self::isAdmin($self, $admins);
     if($isAdmin) {
          echo "True!";
          return view("yesAdmin")
          ->with("isAdmin", $isAdmin)
          ->with("self", $self);
     } else {
          echo "False! YOU AREN'T AN ADMIN.";
          return view("notAdmin")
          ->with("isAdmin", $isAdmin)
          ->with("self", $self);
     }
}

  

private function getAdmins() {
     $adminsURL = "https://my.test.instructure.com/api/v1/accounts/1/admins?per_page=20";
     $curl = curl_init();
     self::requestCurl($curl, $adminsURL, $this->headers); //does cURL request on above URL
     $resp = curl_exec($curl);
     return self::setHeaders($curl);
}

  

private function getSelf() {
     $selfUrl = "https://my.test.instructure.com/api/v1/users/self";
     $curl = curl_init();
     self::requestCurl($curl, $selfUrl, $this->headers); //does cURL request on above URL
     $resp = curl_exec($curl);
     return self::setHeaders($curl);
}

  

private function isAdmin($user, $admins) {
     foreach ($admins as $a) {
          if ($a["user"]["sis_user_id"] == $user["sis_user_id"]) {
               echo "Users match!";
               return True;
          }
     }
     return False;
}


As my code above shows, my method of finding the admins to compare to is by querying the admin endpoint: ``https://my.test.instructure.com/api/v1/accounts/1/admins?per_page=20``

 

 

I identify the user by querying this endpoint: ``https://my.test.instructure.com/api/v1/users/self``

 

 

Then I compare the two by similar values (sis_id, email, etc.) and see if they relate. If they do, great.

Now, my testing works like this: I log in as my admin account. I visit the page. Since my admin account is among the admin lists, it works.

The problem starts when I then log out and log into my second account, a test non-admin one, and visited this page again. It was still permitted. In fact, "users/self" didn't look at my non-admin account at all. It was only returning my admin account.

Lastly I logged out of both accounts and visited as some anonymous user. It...still permitted me, and showed me the full

Does anyone know why Canvas does this?

TL;DR why is the "api/v1/users/self" endpoint always giving me the same result?

Outcomes