Questions and discussion about developing processes and programming in PHP, JavaScript, web services & REST API.
Forum rules: Please search to see if a question has already asked before creating a new topic. Please don't post the same question in multiple forums.

I'm trying to download an Output Document using the API (Get Output Document) that I have uploaded to a case via an external application. However, when i make the API call i am hit with the following:
Code: Select all
You don't have privileges to access with those credentials.
The documentation on this call says that a new security feature restricts this access. I have tried to overcome this by setting permissions to my user (admin) on the case. The access_token to make API calls i'm using is one granted with admin credentials. Is this different from a valid login session that the documentation suggests?

I can download the document fine from the front end.

Thanks so much,

document.png (42.13 KiB) Viewed 10555 times
permission.png (51.26 KiB) Viewed 10555 times
The easy solution is to disable session validation. Edit your workflow/engine/config/env.ini file and add the following line:
Code: Select all
disable_download_documents_session_validation = 1
Of course, that turns off all security, so anyone can download the files.

If you want ProcessMaker to verify that the logged-in REST user has proper access to the file before downloading, then you can edit the source code of workflow/engine/methods/cases/cases_ShowDocument.php and change the source code from:
Code: Select all
if (empty($_GET['v'])) {
    //Load last version of the document
    $docVersion = $oAppDocument->getLastAppDocVersion($_GET['a']);
} else {
    $docVersion = $_GET['v'];

//Check if the user can be download the input Document
//Send the parameter v = Version
//Send the parameter a = Case UID
Code: Select all
if (empty($_GET['v'])) {
    //Load last version of the document
    $docVersion = $oAppDocument->getLastAppDocVersion($_GET['a']);
} else {
    $docVersion = $_GET['v'];

if (isset( $_GET['sid'] )) {
    Bootstrap::LoadClass( 'sessions' );
    $oSessions = new Sessions();
    if ($aSession = $oSessions->verifySession( $_GET['sid'] )) {
        require_once 'classes/model/Users.php';
        $oUser = new Users();
        $aUser = $oUser->load( $aSession['USR_UID'] );
        $_SESSION['USER_LOGGED'] = $aUser['USR_UID'];
        $bRedirect = false;
        if ((preg_match("/msie/i", $_SERVER ['HTTP_USER_AGENT']) != 1 ||
            $config['ie_cookie_lifetime'] == 1) &&
            (!(preg_match("/safari/i", $_SERVER ['HTTP_USER_AGENT']) == 1 && 
            preg_match("/chrome/i", $_SERVER ['HTTP_USER_AGENT']) == 0) ||
            $config['safari_cookie_lifetime'] == 1)) 
            if (PHP_VERSION < 5.2) {
                setcookie(session_name(), session_id(), time() + $timelife, '/', '; HttpOnly');
            } else {
                setcookie(session_name(), session_id(), time() + $timelife, '/', null, G::is_https(), true);
        $RBAC->loadUserRolePermission( $RBAC->sSystem, $_SESSION['USER_LOGGED'] );
        $memKey = 'rbacSession' . session_id();
        $memcache->set( $memKey, $RBAC->aUserInfo, PMmemcached::EIGHT_HOURS );

//Check if the user can be download the input Document
//Send the parameter v = Version
//Send the parameter a = Case UID
Also edit workflow/engine/methods/cases/cases_ShowOutputDocument.php and change the code from:
Code: Select all
$download = $oOutputDocument->Fields['OUT_DOC_OPEN_TYPE'];

//Check if the user can be download the Output Document
Code: Select all
$download = $oOutputDocument->Fields['OUT_DOC_OPEN_TYPE'];

if (isset( $_GET['sid'] )) {
    Bootstrap::LoadClass( 'sessions' );
    $oSessions = new Sessions();
    if ($aSession = $oSessions->verifySession( $_GET['sid'] )) {
        require_once 'classes/model/Users.php';
        $oUser = new Users();
        $aUser = $oUser->load( $aSession['USR_UID'] );
        $_SESSION['USER_LOGGED'] = $aUser['USR_UID'];
        $bRedirect = false;
        if ((preg_match("/msie/i", $_SERVER ['HTTP_USER_AGENT']) != 1 ||
            $config['ie_cookie_lifetime'] == 1) &&
            (!(preg_match("/safari/i", $_SERVER ['HTTP_USER_AGENT']) == 1 && 
            preg_match("/chrome/i", $_SERVER ['HTTP_USER_AGENT']) == 0) ||
            $config['safari_cookie_lifetime'] == 1)) 
            if (PHP_VERSION < 5.2) {
                setcookie(session_name(), session_id(), time() + $timelife, '/', '; HttpOnly');
            } else {
                setcookie(session_name(), session_id(), time() + $timelife, '/', null, G::is_https(), true);
        $RBAC->loadUserRolePermission( $RBAC->sSystem, $_SESSION['USER_LOGGED'] );
        $memKey = 'rbacSession' . session_id();
        $memcache->set( $memKey, $RBAC->aUserInfo, PMmemcached::EIGHT_HOURS );

//Check if the user can be download the Output Document
Then, download my extraRest plugin: ... /extraRest

Then go to Admin > Plugins > Plugin Manager in ProcessMaker and import the extraRest plugin. Then, activate it.

In your REST code, you can use this endpoint to obtain the session ID:

Then add &sid={session-id} to the URLs to download Input Documents and Output Documents.
For example: ... 1029627249 ... 1029627249

For example:
Code: Select all
$url = "";
$oRet = pmRestRequest("GET", $url, null, $oToken->access_token);
$sessionId = $oRet->response;
$downloadUrl = ""  . $sessionId;
$contents = file_get_contents($downloadUrl) or die("Unable to access file $downloadUrl");
Here is the code for the REST endpoint:
Code: Select all
     * Get a login session ID that can be attached to URLs used in ProcessMaker:
     * http://<address>/sys<workspace>/<lang>/<skin>/<folder>/<method>.php?sid=<session-id> 
     * Ex: 
     * @url GET /session-id
     * @access protected
     * @return string The session ID.
     * @author Amos Batto <>
     * @copyright Public Domain
    public function getSessionId() {  
        try {    
            $g = new \G();
            $sessionId = $g->generateUniqueID();
            $userId = $this->getUserId();

            $session = new \Session();
            $session->setSesUid( $sessionId );
            $session->setSesStatus( 'ACTIVE' );
            $session->setUsrUid( $userId );
            $session->setSesRemoteIp( $_SERVER['REMOTE_ADDR'] );
            $session->setSesInitDate( date( 'Y-m-d H:i:s' ) );
            $session->setSesDueDate( date( 'Y-m-d H:i:s', mktime( date('H'), 
                date('i') + 15, date('s'), date('m'), date('d'), date('Y') ) ) );
            $session->setSesEndDate( '' );
            return $sessionId;
        catch (\Exception $e) {
            throw new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage());
(36 KiB) Downloaded 323 times

The Quantum AI Project Trading Platform stands out[…]

I can help you with the top solution to import OST[…]

If you have an email and want to open it in PST fo[…]

Coinbase clone software is a ready-to-go software […]