As mentioned somewhere else, we are using mlz_export plugin to retrieved the registrant information using a REST API. This plugin relies on OAuth to authenticate the user so that it get access to this event-admin restricted information. In the same script, we’d like to access also information about the event (through the /export API) but the request fails and I guess that it is because the connection open to Indico for /mlz_export doesn’t have the /export in its scopes. What should I do to enable access to /export (that also requires an authentication if the event is not public) through OAuth2, ideally through the same connection?
Basically we reuse the code from the mlz_export plugin example, i.e.:
Open a OAuth2 session with OAuth2Session() from requests_oauthlib module
Execute the method `fetch_token()’ of the created session which is also used for querying Indico afterwards.
It works well when accessing /mlz_export and fails (but without error message causing an exception in the logs!) when accessing /export. I can imagine we are doing something wrong but it is not clear what…
So this AttributeError: error_message seems to be a bug in Indico. Another user here had the same issue. We’ll probably have a fix for this soon (but as usual you’ll need to either apply it manually or wait for 2.3.1).
If you applied this to your instance, make sure to apply the other commit from the PR as well or disable API caching in the admin area due to a security fix I added to the PR. This was not exploitable due to OAuth access being broken, but with the oauth fix applied you could possible leak data from oauth-authenticated requests to public ones.