Status: Closed (View Workflow)
Severity 3 - Minor
The KeyResults endpoint appears to be locked to the Super User role only. One would assume that the permissions would be the same as the Objective level that the OKR is tied to.
I've tested this with a custom (non-Super User) role that has every possible permission enabled and I still get 403 forbidden when doing a GET on one of my KeyResults, even though I can view the same OKR in the JA web UI.
Steps to Reproduce
- I tested this with a Program level objective OKR, but any level should work: Create or locate a Key Result and make sure that your current user can see it in the JA UI.
- Create (or use existing) non-super user level role that has every permission enabled
- Assign the user used in step 1 to this role and grab their API token
- Use the API token to make a GET call to the KeyResults API endpoint for the OKR viewed in step 1
The OKR data should be fetched with the GET request
The API request fails with a 403 Forbidden
It is possible to make the request using a Super User level account. That is currently the only known workaround at the moment.