We have an Asana App to which users OAuth. Later on we can use our App’s PAT to get details of OAuth user’s projects and tasks becuase they granted our app the permission to do so. But when we make an API call to get for example a user’s list of projects we get a Forbidden request response.
"message": "You do not have access to this project.",
"help": "For more information on API status codes and how to handle them, read the docs on errors: https://asana.com/developers/documentation/getting-started/errors"
Do you stock some data in cache locally, and share that cache with multiple users if they can access the same task?
If so, it can happen.
Example, user 1 have access to projets A and B.
User 2 have access to projet B only.
One task is in project A and B at the same time.
If user 1 query the task, it will see that its membership is on both projects.
If user 2 query the same task, it will only see membership of project B.
So if user 1 download and stock cached data for that task, including info of project A, when user 2 uses that cached copy of the task, he doesn’t have access to get informations for project name or any other informations about project A.
If I’m correctly understanding the scenario you’re describing, I don’t think that design is going to work.
A PAT (Personal Access Token) only provides access to the data within the account of the user that created the PAT. When you say “our app’s PAT”, what does that mean? An app can’t have a PAT, only an Asana user can.
If your users are using OAuth to authenticate, then why aren’t you using the OAuth tokens your app gets from their authentication to access their data? That’s the normal way you’d do an OAuth-based integration.