`Enable Studio Access to API Services` changing permissions bypass

When I’m an owner of a place I am able to successfully modify game settings by enabling or disabling Enable Studio Access to API Services property - no error is displayed and that is probably the intended behaviour.

HOWEVER: I believe you should not be able to modify the setting when you’re only invited to edit someone’s place (so someone shared you permission to edit a place via collaborators tab - not even via a group).

And this is not really working fully properly - when editing place’s setting (studio access to api services) I am seeing an error that the settings could not have been changed; in the console there is a warning logged that the rest api request to change the settings has resulted in 403 Forbidden status; yet after refreshing the game settings tab one can see that the setting has successfully been changed.

And it’s not only visual behaviour - after modifying the setting also the behaviour changes - I have confirmed that it actually affects the possibility of accessing the studio apis during testing. When I disable the setting, a 502 database error appears (disabled studio access) and it’s gone when enabling the setting).

Expected behavior

The behaviour should be consistent - either:

  • an error is thrown and the setting itself is not modified (I assume this should be actually happening)
    or
  • no error is thrown and the setting is modified w/o any error prompts
3 Likes