REST-API Endpoint /wp-json/jetpack/v4/connection/data fails with status code 401

  • Issue: Non-administrative shop manager user trigger multiple 40x HTTP status codes when accessing order overview in WordPress backend. This might trigger web application firewall to block remote IP.

    Affected versions: WordPress 6.6.1, woocommerce 9.3.3, User Role Editor 4.64.2.

    Solution: Add access right: “jetpack_connect_user” to your shop managers user group.

    Explanation: Repeating call to REST-API /wp-json/jetpack/v4/connection/data fails (see HTTP server log) when backend user (shop manager, without full admin rights) is accessing the orders overview.

    [03/Nov/2024:13:22:10 +0100] "GET /wp-json/jetpack/v4/connection/data?_locale=user HTTP/2.0" 403 297 "https://<REDACTED>/wp-admin/admin.php?page=wc-orders"

    Code block handling REST API endpoint calls: woocommerce/vendor/automattic/jetpack-connection/src/class-rest-connector.php: 644

        public static function user_connection_data_permission_check() {
            if ( current_user_can( 'jetpack_connect_user' ) ) {
                    return true;
            }

            return new WP_Error(
                    'invalid_user_permission_user_connection_data',
                    self::get_user_permissions_error_msg(),
                    array( 'status' => rest_authorization_required_code() )
            );
    }

    Apparently, any shop manager requires recently at least to have access right jetpack_connect_user, alternative woocommerce team might want to consider to switch to test for is_user_logged_in() instead of this access right.

    Cheers,

    Matthieu

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter Matthieu-P. Schapranow

    (@theschappy)

    As current_user_can() is using map_meta_cap() to check for capabilities, you also require to enable the capability manage_options (meta capability) in addition to jetpack_connect_user capability for your user or user role to make it work.

    Thread Starter Matthieu-P. Schapranow

    (@theschappy)

    To summarize my observations up to now: WordPress admin users do not see any issues. Any non-admin users without the manage_options WordPress capability will receive a HTTP 403 for the jetpack REST API endpoint /wp-json/jetpack/v4/connection/data. Typically, you do not want to have non-admin users equipped with manage_options capability, because it basically allows to manage and change the majority of WordPress settings. This might be connected to the issue ticket from Jan 2024: https://github.com/woocommerce/woocommerce/issues/44009. I will link this thread there and request additional support.

    Plugin Support Zubair Zahid (woo-hc)

    (@doublezed2)

    Hello Matthieu-P. Schapranow,

    Thank you for contacting WooCommerce support.

    I understand your shop managers are triggering multiple 40x HTTP status codes when accessing the order overview, which could lead to your web application firewall blocking the remote IP.

    To address this issue more effectively, I suggest opening a GitHub issue.
    This way our development team can investigate further and develop a fix if needed.

    Please don’t hesitate to contact us again if you have any questions or concerns.
    We are here to help ??

    Best regards.

    Thread Starter Matthieu-P. Schapranow

    (@theschappy)

    @doublezed2: I have identified the GitHub issue mentioned above (#44009) as possible connected to my support question here. Therefore, I have added relevant information to the GitHub issue and requested reopening the issue from earlier this year. Unfortunately, I am not allowed to reopening the issue (missing access permission). Therefore, I would be very thankful if you could reopen linked GitHub issue. Many thanks!

    Plugin Support shahzeen(woo-hc)

    (@shahzeenfarooq)

    Hi there!

    I understand your concern. I see that you’ve already added information to the closed bug report here: https://github.com/woocommerce/woocommerce/issues/44009. I suggest waiting a few days, as our developers may reopen the bug or provide further assistance.

    If you don’t receive a response after a few days, it might be best to create a new bug report. Include your issue details in the new thread and reference the closed bug link to ensure context is maintained.

    Thank you!

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.

Tags