If you see a "Bad response code" for either 401 (Unauthorized) or 403 (Forbidden), the Sync Core is not allowed to make requests to your site using the credentials that the module created during the installation.
401 indicates that the authentication failed (i.e. the login with the CMS Content Sync user), 403 indicates that the authorization failed (i.e. roles, permissions of the CMS Content Sync user).
There are edge cases when the status code is not reliable so please check the site's logs for the request that failed to understand what request user Drupal logged. If it is anonymous then the authentication failed and if it's CMS Content Sync then the authorization failed.
Both authentication and authorization can fail if your site is Basic Auth protected, e.g. because it's a private staging or testing site. The Sync Core must be allowed to bypass Basic Auth so if you are using Basic Auth protection please whitelist our IP addresses to be excluded from the Basic Auth requirement.
Typical error messages are:
- The 'restful get|post|put|delete cms_content_sync_sync_core_entity_item' permission is required.
- The 'restful get cms_content_sync_sync_core_entity_list' permission is required.
Important Security Restrictions
Please use the steps documented below to resolve the issue. If they don't resolve the issue please reach out to our support. Please avoid the following insecure practices:
- Don't give the CMS Content Sync user admin permissions.
- Don't give the anonymous user REST permissions.
Both can significantly harm your site.
Authentication
If authentication fails and there's no Basic Auth protection then the Sync Core likely doesn't have the necessary user account or an incorrect password.
User doesn't exist
Please go to the User list in the Drupal administration area and ensure that the CMS Content Sync user exists. The CMS Content Sync user is created when the module is installed and must not be removed. If you did remove the user please:
- Create a new user and name it "CMS Content Sync".
- Copy the user ID and run the following drush command, replacing NEW_USER_ID with the copied ID: drush ev '\Drupal::service("keyvalue.database")->get("cms_content_sync_user")->set("uid", NEW_USER_ID);'
- Clear the Drupal cache.
- Edit the user and assign a random 64-character password, consisting of numbers, uppercase letters and lowercase letters.
- Re-register the site using the Registration tab.
Incorrect password
If the user does exist but we can't login the password that we have is probably incorrect. To recover please edit the CMS Content Sync user and enter a randomly generated 64-character password consisting of numbers, uppercase letters and lowercase letters. You don't have to remember or copy the password- simply hit Save.
Now open the Site tab of the Content Sync admin UI and append ?force=register-site, e.g.
https://example.com/en/admin/config/services/cms_content_sync/site?force=register-site
Hit Register and then Continue in our backend to return to your site. This will re-register the site to the Sync Core and update the password we have stored.
Authorization
Missing configuration
Authorization issues are usually configuration issues that can occur if you didn't export some of the configuration that we created or updated during the module install or a module update and then run another config import that will delete the existing configuration we created. Please always export the configuration after installing the module or running a database update.
First, make sure that all the configuration from the install/config folder in our module is also available on your site and that they are identical. If not, re-import the missing configuration pieces from that folder.
Clear the cache to allow the REST module to re-configure our REST routes.
Missing role
Edit the CMS Content Sync user, enable the Content Sync role and save.