Developer forum

Forum » Ecommerce - Standard features » Accessing a cart by secret when impersonating a user returns a 403

Accessing a cart by secret when impersonating a user returns a 403

Joseph Vause
Reply

Hi,

Our client has raised an issue in that when your are impersonating another user, the cart functionalities do not work. 

We have moved to using Javascript and the APIs provided in the swagger documentation for controlling carts to avoid having to do page refreshes when updating a quantity for example. 

We use these API endpoints, which work just fine when we are logged in as the master user:

DELETE
/dwapi/ecommerce/carts/${cartSecret}/items/${orderLineId}
GET
/dwapi/ecommerce/carts/${cartSecret}

PATCH
/dwapi/ecommerce/carts/${cartSecret}/items
PATCH
/dwapi/ecommerce/carts/${cartSecret}/items/${orderLineId}

The issue is that these return a 403 instead of 200 when we log in as the master user, but then impersonate another user, so the Add to cart fails as we do not get the expected status codes back for these endpoints based on the operation they are trying to do. (get basket, update item, remove item etc etc)

I can see when impersonating a user, that the cart secret changes as expected to their baskets secret as opposed to the cart secret of the master user

E.G:

Impersonated User:

Master User:

However, the API does not seem to respect that we are impersonating the user and therefore should be able to use their cart secret as if it was the cart secret of the master user. 

There is no way i can see on the API docs to be able to pass in the Impersonated User Id or similar to indicate we are in impersonation mode. 

There are Impersonate endpoints, however i'm not clear on when these should be called and even if they should, as we have already entered impersonate mode using the out of the box Impersonate functionality. If we did use this endpoint, do we not need to call them again to un-impersonate a user when switching back to the master user?

GET: /dwapi/users/impersonatees

GET: /dwapi/users/impersonate

This is going to be a major problem for us if we cannot come up with a resolution.

Any advice on how to approach this problem would be highly appreciated.

Kind Regards,

Joe


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply

Hi Jose

When you impersonate in the webapi, you get another JWT for the impersonated user, and you need to use that JWT. You cannot use the JWT of the master user.

If you impersonate in regular DW; and then asks the api for the cart, you have to get a JWT for that impersonated user before asking the API.

BR Nicolai

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply

Remember that the APIs are stateless - they have no clue you impersonated in a pageview. The API endpoints do not have cookies, sessions or anything else from your regular pages. So you have to explicitly tell them everything from currency, users, impersonation etc.

 

You must be logged in to post in the forum