A whisper is posted as a message if the user is not staff/moderator/admin when using the API

jviotti · May 1, 2019, 5:55pm

We have a cloud Discourse/2.3.0.beta9 instance and I can see that attempting to POST a whisper using the API when the user can’t see whispers (i.e. not a moderator nor an admin) results in the message being posted as a public message instead.

For example:

request({
	method: 'POST',
	baseUrl: 'https://forums.balena.io',
	json: true,
	uri: `/posts.json`,
	body: {
		raw: 'Whisper test 1234',
		topic_id: 6995,
		created_at: new Date().toISOString(),
		whisper: 'true'
	},
	qs: {
		api_key: <token>,
		api_username: `goetted`
	}
}, (error, response, body) => {
	if (error) {
		console.error(error)
		process.exit(1)
	}

	console.log(response.statusCode)
	console.log(JSON.stringify(body, null, 2))
})

Results in 200 and the following body:

200
{
  "id": 36425,
  "name": "Walter S. Ness",
  "username": "goetted",
  "avatar_template": "https://avatars.discourse.org/v2/letter/g/839c29/{size}.png",
  "created_at": "2019-05-01T17:50:05.861Z",
  "cooked": "<p>Whisper test 1234</p>",
  "post_number": 2,
  "post_type": 1,
  "updated_at": "2019-05-01T17:50:06.535Z",
  "reply_count": 0,
  "reply_to_post_number": null,
  "quote_count": 0,
  "avg_time": null,
  "incoming_link_count": 0,
  "reads": 0,
  "score": 0,
  "yours": true,
  "topic_id": 6995,
  "topic_slug": "new-issue-title-3dbf33a5-9d0c-44bd-81a6-18136952f015",
  "display_username": "Walter S. Ness",
  "primary_group_name": null,
  "primary_group_flair_url": null,
  "primary_group_flair_bg_color": null,
  "primary_group_flair_color": null,
  "version": 1,
  "can_edit": true,
  "can_delete": true,
  "can_recover": false,
  "can_wiki": false,
  "user_title": null,
  "actions_summary": [
    {
      "id": 3,
      "can_act": true
    },
    {
      "id": 4,
      "can_act": true
    },
    {
      "id": 8,
      "can_act": true
    },
    {
      "id": 7,
      "can_act": true
    }
  ],
  "moderator": false,
  "admin": false,
  "staff": false,
  "user_id": 2171,
  "draft_sequence": 1,
  "hidden": false,
  "trust_level": 2,
  "deleted_at": null,
  "user_deleted": false,
  "edit_reason": null,
  "can_view_edit_history": true,
  "wiki": false,
  "user_created_at": "2019-04-16T14:48:27.897Z",
  "user_date_of_birth": null,
  "can_accept_answer": false,
  "can_unaccept_answer": false,
  "accepted_answer": false
}

And as you can see from the API response, the message is public:

The message is correctly posted as a whisper if the user has enough privileges.

jomaxro · May 1, 2019, 6:09pm

I’m assuming you’d prefer receiving a 403 response and not having the reply posted?

jviotti · May 1, 2019, 6:11pm

Hey @jomaxro,

Correct, there should be an error if the request can’t be fulfilled, otherwise we might accidentally end up posting publicly messages that were intended to be private.

blake · May 7, 2019, 5:59pm

Thank you for reporting this @jviotti. A 403 error will now be returned if a non-staff users tries to create a whisper via the api.

https://github.com/discourse/discourse/commit/5b5b5a5931469945b6ab9d3f38b11bad83e4cf72

Topic		Replies	Views
Private Posts and Public in a single Topic Feature	6	963	August 27, 2020
Non-moderator access to whispers Feature completed , whispers	8	1299	July 15, 2022
Ways to post confidential info for moderator eyes only? Feature	44	10786	August 18, 2016
API endpoint users/by-external/ failing with authorization headers, works without Bug rest-api	3	506	June 26, 2023
Not able to add Whisper Post Using API Dev rest-api , whispers	4	1010	September 17, 2020

A whisper is posted as a message if the user is not staff/moderator/admin when using the API

Related Topics