A whisper is posted as a message if the user is not staff/moderator/admin when using the API

We have a cloud Discourse/2.3.0.beta9 instance and I can see that attempting to POST a whisper using the API when the user can’t see whispers (i.e. not a moderator nor an admin) results in the message being posted as a public message instead.

For example:

	method: 'POST',
	baseUrl: 'https://forums.balena.io',
	json: true,
	uri: `/posts.json`,
	body: {
		raw: 'Whisper test 1234',
		topic_id: 6995,
		created_at: new Date().toISOString(),
		whisper: 'true'
	qs: {
		api_key: <token>,
		api_username: `goetted`
}, (error, response, body) => {
	if (error) {

	console.log(JSON.stringify(body, null, 2))

Results in 200 and the following body:

  "id": 36425,
  "name": "Walter S. Ness",
  "username": "goetted",
  "avatar_template": "https://avatars.discourse.org/v2/letter/g/839c29/{size}.png",
  "created_at": "2019-05-01T17:50:05.861Z",
  "cooked": "<p>Whisper test 1234</p>",
  "post_number": 2,
  "post_type": 1,
  "updated_at": "2019-05-01T17:50:06.535Z",
  "reply_count": 0,
  "reply_to_post_number": null,
  "quote_count": 0,
  "avg_time": null,
  "incoming_link_count": 0,
  "reads": 0,
  "score": 0,
  "yours": true,
  "topic_id": 6995,
  "topic_slug": "new-issue-title-3dbf33a5-9d0c-44bd-81a6-18136952f015",
  "display_username": "Walter S. Ness",
  "primary_group_name": null,
  "primary_group_flair_url": null,
  "primary_group_flair_bg_color": null,
  "primary_group_flair_color": null,
  "version": 1,
  "can_edit": true,
  "can_delete": true,
  "can_recover": false,
  "can_wiki": false,
  "user_title": null,
  "actions_summary": [
      "id": 3,
      "can_act": true
      "id": 4,
      "can_act": true
      "id": 8,
      "can_act": true
      "id": 7,
      "can_act": true
  "moderator": false,
  "admin": false,
  "staff": false,
  "user_id": 2171,
  "draft_sequence": 1,
  "hidden": false,
  "trust_level": 2,
  "deleted_at": null,
  "user_deleted": false,
  "edit_reason": null,
  "can_view_edit_history": true,
  "wiki": false,
  "user_created_at": "2019-04-16T14:48:27.897Z",
  "user_date_of_birth": null,
  "can_accept_answer": false,
  "can_unaccept_answer": false,
  "accepted_answer": false

And as you can see from the API response, the message is public:

The message is correctly posted as a whisper if the user has enough privileges.


I’m assuming you’d prefer receiving a 403 response and not having the reply posted?


Hey @jomaxro,

Correct, there should be an error if the request can’t be fulfilled, otherwise we might accidentally end up posting publicly messages that were intended to be private.

1 Like

Thank you for reporting this @jviotti. A 403 error will now be returned if a non-staff users tries to create a whisper via the api.