[BUG] Endpoint api/user/orgs only available for users

[diomedesadmin]

I saw this issue was opened before, but it was closed as mistake. I am experiencing this issue right now.

2025-01-17 13:11:00 ERR service/login.go:46 unable to determine org ID, falling back err="All attempts fail:\n#1: ErrValidator: response error for http://REDACTED/api/user/orgs: unexpected status: 403\n#2: ErrValidator: response error for http://REDACTED/api/user/orgs: unexpected status: 403\n#3: ErrValidator: response error for http://REDACTED/api/user/orgs: unexpected status: 403"
2025-01-17 13:11:00 INF api/orgs.go:50 Retrying request after error orgName=REDACTED err="ErrValidator: response error for http://REDACTED/api/user/orgs: unexpected status: 403"
2025-01-17 13:11:05 INF api/orgs.go:50 Retrying request after error orgName=REDACTED err="ErrValidator: response error for http://REDACTED/api/user/orgs: unexpected status: 403"
2025-01-17 13:11:45 INF api/orgs.go:50 Retrying request after error orgName=REDACTED err="ErrTransport: Get \"http://REDACTED/api/user/orgs\": dial tcp REDACTED:80: i/o timeout"
2025-01-17 13:11:45 ERR service/login.go:46 unable to determine org ID, falling back err="All attempts fail:\n#1: ErrValidator: response error for http://REDACTED/api/user/orgs: unexpected status: 403\n#2: ErrValidator: response error for http://REDACTED/api/user/orgs: unexpected status: 403\n#3: ErrTransport: Get \"http://REDACTED/api/user/orgs\": dial tcp REDACTED:80: i/o timeout"

curl -X 'GET' 'http://REDACTER/api/user/orgs' \
>   -H 'accept: application/json' \
>   -H 'Authorization: Bearer TOKEN'
{"message":"Endpoint only available for users"

Grafana version

curl  *********/api/health
{
  "commit": "5f10d55b14dd43b170b1129ccc3ec26480abca8c",
  "database": "ok",
  "version": "11.0.6"
}

gdg version
2025-01-17 13:31:10 INF Build Date: 2025-01-16T20:11:55Z
2025-01-17 13:31:10 INF Git Commit: 52ed9c650154ad0188ee3edfb7d6c58dcba998ec
2025-01-17 13:31:10 INF Version: v0.7.2
2025-01-17 13:31:10 INF Go Version: go1.23.4
2025-01-17 13:31:10 INF OS / Arch: linux amd64

[safaci2000]

Sorry it's close to my end of day, apparently reading is a bit harder. Removed the previous comments for clarity as it wasn't actually related to your question. Let me rephrase my answer once more.

OrgUsers can work with a token. I can open that up but it does make it a bit more confusing because the permissions for managing these entities are all over the place.

Listing/Uploading users requires basic auth.
Listing/Uploading Orgs requires basic auth.
Add a user to an org can be done via token. I need to investigate but I assume most of the api/user/orgs are probably using the same permissions scheme.

There's also supporting endpoints that are invoked in the code path to for example to get the Org ID for a given slug or orgName that do required admin privileges. Honestly if you're dealing with Orgs you probably should be using your admin account.

That being said, I'll take a pass at this on this on Monday and see if there's a pattern that makes sense once I determine the required permissions for all the given operations and related supporting endpoints.