API Permissions

[deleted]

Hi. I've started using the API to automate posts for the news tag on my site. Everything is working well (apart from the format I have to use meaning I need to parse an email, rip out the bits I want, then post as a "bot user" in a loop, but that's my problem 🙂), but unless I post using an account via the API that has admin rights, I get permission denied.

Is this normal ? Having to use an admin account seems aggressive in terms of permissions, and could easily be exploited.

clarkwinkelmann

[deleted] are you posting as another user with an API Key (passing the userId after the token) or with a user API Token ?

API Tokens are broken on beta 9 and it's been fixed for the upcoming beta 10: flarum/core1828

UPDATE: also, some fields are admin-only, for example if you try setting the post time.

[deleted]

clarkwinkelmann Yes, exactly that. Passing the userID

clarkwinkelmann

[deleted] can you share an example JSON payload of the request you make with the userId= of a non-admin ?

[deleted]

clarkwinkelmann Yep - here goes

<?php

$header = array(
  "Authorization: Token <redacted>",
  "Content-Type: application/json"
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://discuss.infosecforge.io/api/discussions');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); 
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
curl_setopt($ch, CURLOPT_POST, 99999999);
curl_setopt($ch, CURLOPT_POSTFIELDS, 
  json_encode((array('data' => array(
    'type' => "discussions",
    'attributes' => array(
      'title' => "Test Title",
      'content' => "Test Content"))))));
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); 
$result = curl_exec($ch);

echo $result;
?>

User ID 99999999 is intentional BTW.

[deleted]

Anyone have any update on this ? Similarly, I'd like to be able to use the API to post directly to a specific tag, but can't find anything in terms of documentation (unless I'm looking in the wrong place).

Thanks

clarkwinkelmann

[deleted] here's an example request taken from the network tab on my test Flarum:

POST /api/discussions

{
  "data": {
    "type": "discussions",
    "attributes": {
      "title": "Test discussion with a tag",
      "content": "Test content"
    },
    "relationships": {
      "tags": {
        "data": [
          {
            "type": "tags",
            "id": "1"
          }
        ]
      }
    }
  }
}

[deleted]

clarkwinkelmann thanks very much.

[deleted]

One thing I'm not entirely clear on in the code I posted is where you add the type => 'tags' and id => '23'. The API is a very useful tool, but sadly, there are few examples of how this should work - even with a basic CURL implementation like mine.

clarkwinkelmann

[deleted] something like

array('data' => array(
    'type' => "discussions",
    'attributes' => array(
      'title' => "Test Title",
      'content' => "Test Content"
    ),
    'relationships' => array('tags' => array('data' => array(array(
        'type' => 'tags',
        'id' => $tagId
    ))))
  ))

or maybe more readable and with the new array syntax

[
  'data' => [
    'type' => 'discussions',
    'attributes' => [
      'title' => 'Test Title',
      'content' => 'Test Content',
    ],
    'relationships' => [
      'tags' => [
        'data' => [
          [
            'type' => 'tags',
            'id' => $tagId,
          ],
        ],
      ],
    ],
  ],
]

[deleted]

clarkwinkelmann thanks very much.