Update user permissions via API

Scumi

I intend to update a users notification preferences via API.
When I try to patch a users dataset, I get a 403 Forbidden response (for my own user/admin as well as for other users).

Patch dataset:

$data = [
	"type" => "users",
	"attributes" => [
		"username" => $username,
		"password" => $password,
		"email" => $email,
		"preferences" => [
			"notify_discussionCreated_email" => true
		]
	]
];

Is it possible to update preferences via API in general? If yes, what could lead to a 403 response?

luceos

Are you using a master token ?

Scumi

Yes I do. Other user updates (e-mail, username, passwords, avatar) also work without issues.

luceos

https://github.com/flarum/core/blob/master/src/User/Command/EditUserHandler.php#L105

You will have to do the API call as that user. To do so user the master token with header Authorization: Token <masterToken>; userId=<userId> where <userId> has to be the user you are setting the preferences for.

Scumi

That was one of my first thoughts as well, but it also doesn't work when I try to update my own preferences, even though I am the admin and the user with userId=1.

$this->api = new \Flagrow\Flarum\Api\Flarum(
	$this->url, 
	['token' => config('forum.forum_api_key') . '; userId=1'],
	$options
);

luceos

What is the user_id of the api token in the database for the master token you are using?

Scumi

user_id is 1 as well.

luceos

Scumi a master token implies user_id is set to NULL, otherwise it's "just" an api token connected to a specific user.

Scumi

Okay, thanks for the explanation, I was not aware of the difference.

I set user_id to NULL, but still get the 403 response.

For reference:

I created a token in the api_keys table with user_id = NULL
I call the API with ['token' => config('forum.forum_api_key') . '; userId=1'],
I create a data array as shown in my first post (tried default flarum-core permissions as well, the one shown is a permission from an extension)
I submit a patch request $this->api->users($forum_user_id)->patch($data)->request();

What works with the sequence:

create any user
update any user
upload an avatar for any user

Only the preferences update does not work, not for my user (who is the admin) nor for any other user (which I could understand if there is a restriction even for admins since I also cannot set preferences in the UX for other users).

Maybe the preference is not named correctly and therefor rejected? Don't know if that would result in a 403 response rather than 400.

luceos

Scumi I call the API with ['token' => config('forum.forum_api_key') . '; userId=1'],

This should have been

['token' => config('forum.forum_api_key') . '; userId=' . $forum_user_id],

For the call that only sets the preferences..

But seems like you figured that out as well 😉

Scumi

Okay, I got it working. The issue was combining it with other updates such as username, password an e-mail, whereas it works when it is a standalone function (shouldn't have cannibalized an existing function for this). I also call the master token now with the userId of the user that shall receive the update rather than the admin, who appears to not have the permission to do preference updates or even read preferences.

$data = [
	"type" => "users",
	"id" => $forum_user_id,
	"attributes" => [
		"preferences" => [
			"notify_discussionCreated_email" => true
		]
	]
];

Scumi

Yes, this is my set-up now. Thanks for pointing me in the right direction.

I assume it is design intend to not let admins read and edit user preferences?