I am calling a server action call_me.php via a post call from a server action call_api.php.
All works okay, but if I include a Server Restrict action in call_me.php then I get an authorisation error.
Is this to be expected, or is it a bug?
Best wishes,
Antony.
The security restrict step will block access for all the unauthorized/not logged users loading the server action.
And by calling it via an API call from a server action rather than through a form on the client side, am I considered to not be logged in?
So, are you logged in actuality?
Yes, when running the server action call_api.php I am logged in.
I am just creating an extra server action call_me.php as I will need to call that code from multiple locations… so I am using it like a procedure call.
Are re-using the same security provider there actually (same in both server actions)?
You can click the ‘link’ button when creating the security provider so you can reuse it across your different server actions.
Yes, it is the same one and is linked.
Here is the call to the API in case there is something around that I don’t have quite right…
@patrick can advise here 
This creates a new session so you won’t be able to use the logged in status of your primary security unless something has changed recently. It is a new php session since it is from the server rather than client.
I create a second security model for these types of common server actions. I use basic authentication and put the username and password in environment variables.
As @mebeingken already mentions, this will not work if called from the server. The server request is seen as a different client/user and that’s why the restrict fails. The restrict must be placed in the server action that is called from the client, not from the server.
Brilliant, thanks for your help @mebeingken, @Teodor and @patrick!
