Just upgraded from 3.0.2 to 3.1 (to get me some email tags ).
Mortal users doing a self-enrollment via ENROLL TOKEN menu get an “(2) Authentication failure. You do not have the necessary role ([‘admin’]) to access this resource” alert. Yet the enrollment screen is fully presented, or so it seems. There is an ENROLL TOKEN button and whatever token – TOTP, U2F, etc – is correctly enrolled. But something in the initial rendering of the page is causing this error to pop. (I’m guessing?)
Policies present for enrollment_wizard, enable, disable, setpin, enrollpin, enrollU2F, enrollTOTP, etc. Saw setdescription was added in 3.1, so enabled that as well. All worked without incident in 3.0.2.
I do see these in DEBUG log, maybe related?
[2019-09-19 04:16:13,978][14411][139967355782912][DEBUG][privacyidea.api.lib.utils:219] Can not get param: No JSON object could be decoded
[2019-09-19 04:16:13,978][14411][139967355782912][DEBUG][privacyidea.api.lib.utils:219] Can not get param: No JSON object could be decoded