API: Create discussion with new user = permission_denied

seodevse

So I try to create a new discussion with a newly created user, all with API. Creating a user works, but posting a discussion with that user doesn't. Using a key from api_keys table with no user id set results in csf mismatch, and setting correct user_id and new api key results in permission_denied.

Creating a discussion with userID 1 works, admin. Do I really need to post as admin? If so, how can I post as a new user instead?

Print_r:
Array ( [errors] => Array ( [0] => Array ( [status] => 403

 => permission_denied ) ) ) 

this is my header:
curl_setopt($ch, CURLOPT_HTTPHEADER, [
        'Content-Type: application/json',
        'Authorization: Token ' . $apiToken . '; userId ' . $user_id
    ]);

huseyinfiliz

seodevse Did you manually generate the token? I manually generate a token and use a separate PHP file to connect to the database and update the associated user ID. While doing this, I send requests to the PHP file via cron, and with each request, the user ID is incremented by 1. Maybe something similar could be tried? Just a thought.

clarkwinkelmann

seodevse the syntax after the token is ; userId=1234 (missing =)

seodevse

huseyinfiliz I use this and insert it into api_keys: $apiTokenNewUser = bin2hex(random_bytes(40));

Did not quite follow you there...

clarkwinkelmann lol I see that now. Will try...

I actually got it working with the usual work around: making the user admin directly in the db, post then delete admin rights 🙂

huseyinfiliz

seodevse https://docs.maicol07.it/en/flarum-api-client

I’m using the Flarum API client and manually created a token in the database. This token is associated with a user ID. When I keep the token fixed and change the user ID, API requests are processed as if they are made by the user associated with the given ID. For example, the user specified by the ID is shown as the one who created the discuss. The user doesn’t need to have any specific permissions.

I connected three AI bots together—one generates the discuss title, another writes the discuss content, and the last one prepares a response. These are combined and sent via the API. So far, over 2000 discussions have been created, and I’ve approved around 200 of them. Since I implemented this, my visitor count has increased 8x.

I’m not sure if this is related to what you’re trying to do, but this is the solution I applied

What I’m trying to say is that instead of generating a new token every time, it might be sufficient to simply change the user ID and keep the token fixed, if a new token is not necessary.