This is an odd problem.
I am using REST API to send patch requests from a node server to update user data. The patch requests look like this:
const response = fetch(SHARED_CONFIG.cmsBaseURL + 'entity/flagging?_format=json', {
method: 'PATCH',
headers: {
'Content-Type': 'application/json',
'Accept': 'application/json',
'Authorization': 'Basic ' + creds,
},
body: JSON.stringify(sendData),
});the creds variable contain username:password in base64 encoding according to the spec. This has worked fine for over a year. But as of yesterday, it suddenly stopped working, without any changes to the Drupal configuration. In the logs I see:
Path: /user/247552?_format=json. Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: Users can only update their own account, unless they have the 'administer users' permission. in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 120 of /var/www/html/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).
So I double check that the user (in the Authorization header) has permissions to 'administer users' and it does. I also tried using different users and users with admin access (which should bypass all permissions) but still I get the same error.
It seems that no matter what I do, I get access denied trying to use PATCH via REST API, supplying authorization via the Authorization header using http basic auth. I have double checked everything a hundred times and am at my wits end here. I have a staging environment that is almost identical to the live environment (cloned a few days earlier) which doesn't have this problem. As far as I am aware, there were no meaningful changes to the live enviro since the cloning.
