LearningLocker responds with 403 Forbidden when trying to read xAPI statement

Jan 11, 2022

Hi, a client wants to track a multiple response interaction with xAPI. They use LearningLocker Enterprise and I don't know much if anything about either of those things. I eventually managed to get it working (code using xapiwrapper) with my local LL instance by following this guide.

However, when trying this with the client's enterprise endpoint, I couldn't GET the id I need to PATCH the metadata: "message":"Privileges not sufficient for this operation"

GET https://saas.learninglocker.net/api/v2/statement?query={"statement.id":"<REDACTED>"}&select={"statement.id":1}
Accept: */*
Accept-Language: de-DE,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Authorization: Basic <REDACTED>
Content-Type: application/json; charset=utf-8
Origin: http://localhost:8000
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 403 Forbidden
date: Mon, 10 Jan 2022 13:08:52 GMT
content-type: application/json; charset=utf-8
content-length: 107
server: nginx
access-control-allow-origin: *
x-dns-prefetch-control: off
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, must-revalidate
pragma: no-cache
expires: 0
X-Firefox-Spdy: h2

I know this is very technical, but I'd appreciate if anyone could help me find answers to these questions:

  • Is there something blatently wrong with the request?
  • Does the customer need to change something in the web app, e. g. permissions and if so, what exactly?
  • Is this even the best way to do it? Is there perhaps a vendor agnostic way to send multiple responses that non-IT people can work with?

Thank you very much!

1 Reply
Dominik Rosehnal

For future reference:

I figure it out, the xAPI client was configured to only allow writing statements. The enterpreise version behaves different in that it actually responds with 403, whereas the open source server didn't even bother.

According to the documentation:

If you receive an “unauthorised error” from this API, you can use the three checks below via the Client UI. To remove the need for these checks, Learning Locker will automatically create a new client when a new store is created, the new client is enabled by default, with the “All” scope, and the LRS set to the new store. To avoid unauthorised errors, try to use the new client and remember the checks below if you edit or create a client manually.

  1. Check that the client is enabled.
  2. Check that the “All” scope is selected under the “xAPI” heading.
  3. Check that an LRS is selected.