question

laurentg avatar image
laurentg asked

GetGroup returns an inappropriate error when passed an invalid Group ID.

When Calling `GetGroup` and passing it the ID of a group which does not exist, it returns the following error:

NameValueType
error "/Group/GetGroup: The claim was not allowed to perform the requested action based on the entity's access policy. Policy comment: By default, all requests are denied. If you expected this request to succeed, you may be missing a policy. See the permissions APIs in PlayFab's Admin Api to add a permission." PlayFab.PlayFabError

with:

NameValueType
HttpCode 403 System.Int32
HttpStatus "Forbidden" System.String


This is extremely confusing since the message refers to a permission/policy issue when the actual issue is that well... the group ID is not that of an existing group.


(Note that I have verified that passing an existing group ID works just fine.)

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

3 Answers

·
Seth Du avatar image
Seth Du answered

To be clear, the default Entity Policy won't reproduce your issue, which means if an invalid group ID is input, ProfileDoesNotExist error will be returned.

Please navigate to [Game Manager] -> [Title Settings] -> [API Features] -> [Entity Global Title Policy] to check the policy.

[
  {
    "Action": "*",
    "Effect": "Allow",
    "Resource": "*--*",
    "Principal": {
      "ChildOf": {
        "EntityType": "namespace",
        "EntityId": "xxxxx" // your namespace id
      }
    },
    "Comment": "The default allow title in namespace full access",
    "Condition": {
      "CallingEntityType": "title"
    }
  },
  {
    "Action": "*",
    "Effect": "Allow",
    "Resource": "pfrn:data--*![SELF]/Profile/*",
    "Principal": "[SELF]",
    "Comment": "The default allow profile self access",
    "Condition": null
  },
  {
    "Action": "*",
    "Effect": "Allow",
    "Resource": "pfrn:data--*![SELF]/Profile/*",
    "Principal": {
      "ChildOf": {
        "EntityType": "[SELF]"
      }
    },
    "Comment": "The default allow profile child access",
    "Condition": null
  },
  {
    "Action": "Write",
    "Effect": "Deny",
    "Resource": "pfrn:data--*!*/Profile/Statistics/*",
    "Principal": "*",
    "Comment": "Only title can edit user statistics",
    "Condition": {
      "CallingEntityType": "title_player_account"
    }
  },
  {
    "Action": "Write",
    "Effect": "Deny",
    "Resource": "pfrn:data--*!*/Profile/Statistics/*",
    "Principal": "*",
    "Comment": "Only title can edit user statistics",
    "Condition": {
      "CallingEntityType": "character"
    }
  },
  {
    "Action": "Write",
    "Effect": "Deny",
    "Resource": "pfrn:data--*!*/Profile/Statistics/*",
    "Principal": "*",
    "Comment": "Only title can edit user statistics",
    "Condition": {
      "CallingEntityType": "master_player_account"
    }
  },
  {
    "Action": "Write",
    "Effect": "Deny",
    "Resource": "pfrn:data--group!*/Profile/Statistics/*",
    "Principal": {
      "MemberOf": {
        "RoleId": "*"
      }
    },
    "Comment": "Only title can edit group statistics",
    "Condition": null
  }
]
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Seth Du avatar image
Seth Du answered

It is a general error message caused by violation of policy because by default, only the Group member can get the information of a group. Since the Group ID is not existed, surely the player is not a member.

Meanwhile if you modified the entity policy and enabled the read permission of Group for all players, the following error will be returned.

{
    "code": 400,
    "status": "BadRequest",
    "error": "ProfileDoesNotExist",
    "errorCode": 1298,
    "errorMessage": "No group profile found at 1E8D1BA1FA846290A"
}

I believe the Policy condition will be checked prior to Profile. Please feel free to let me know if you have issue on implement any specific features in your project.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

laurentg avatar image
laurentg answered

Thank you @SethDu for your answer.

Unfortunately, this is not a satisfying explanation.

`GetGroup` currently works perfectly fine for us when queried by a player which is *not* a member of the queried groups, so this has nothing to do with the Policy not being set correctly.

If I call `GetGroup` on an existing group unrelated to the current player, it works fine without returning the error you mention.

4 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Seth Du avatar image Seth Du ♦ commented ·

May I ask what is the callback result "when queried by a player which is *not* a member of the queried groups" ?

0 Likes 0 ·
laurentg avatar image laurentg Seth Du ♦ commented ·

Sure,
when calling GetGroup() on a group the player is not a member of we get a successful callback response such as this one:

{PlayFab.GroupsModels.GetGroupResponse} PlayFab.GroupsModels.GetGroupResponse
+   base  {PlayFab.GroupsModels.GetGroupResponse} PlayFab.SharedModels.PlayFabResultCommon
    AdminRoleId "admins"  System.String
+   Created "9/18/2019 1:52:11 PM"  System.DateTime
+   Group {PlayFab.GroupsModels.EntityKey}  PlayFab.GroupsModels.EntityKey
    GroupName "Gang des Salameches" System.String
    MemberRoleId  "members" System.String
    ProfileVersion  37  System.Int32
-   Roles Count = 3
+   [0] "[admins, Administrators]"
+   [1] "[members, Members]"
+   [2] "[vp, VP]"
0 Likes 0 ·
Seth Du avatar image Seth Du ♦ laurentg commented ·

It seems to be the returned type of callback result. Please print out the contents in GetGroupResponse

0 Likes 0 ·
Show more comments

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.