Adding user to group from API gets "BAD CSRF"

(Jay Pfaffman) #1

I’m trying to add a user to a group via the API. From the docs and from what I see happening when I add a user from the web browser, it appears that this should work, but I’m getting “BAD CSRF”

curl -H 'Content-Type: application/json' -X PUT -d '{"api_key":"THE_KEY", "api_username":"system", "usernames":"joeuser" }'

I’m stumped. Is there something obviously silly I’m doing here?

(Blake Erickson) #2

You will need to change the Content-Type to multipart/form-data and use -F instead of -d

curl -X PUT "" \
-H "Content-Type: multipart/form-data;" \
-F "api_key=THE_KEY" \
-F "api_username=system" \
-F "usernames=joeuser"


(HTTP) This lets curl emulate a filled-in form in which a user has pressed the submit button. This causes curl to POST data using the Content-Type multipart/form-data according to RFC 2388.


(HTTP) Sends the specified data in a POST request to the HTTP server, in the same way that a browser does when a user has filled in an HTML form and presses the submit button. This will cause curl to pass the data to the server using the content-type application/x-www-form-urlencoded.

(Jay Pfaffman) #3

That’s pretty much it. In spite of what the docs seem to imply, you can’t send JSON data, but only form-encoded data. This thread tipped me off & then I checked what was happening in the browser. I’m really trying to do this from PHP, but when that didn’t work, I fell back to curl.

For me the take-home message is that one should start with reverse engineering the API rather than looking at the docs.

(Blake Erickson) #4

I see what you mean since the examples in the api docs are in json, but that is mostly just for readability and is more like sudo code for you to use whatever tool you desire to make api calls. I’ll add a line to the top of the docs about using form-data but I still doubt people will read it.

You mean these docs with the answer you were looking for? :wink:

(Jay Pfaffman) #5

Me too. I think what would need to happen is that there’d be some indication for each API call how the data is to be passed. Or maybe it never wants JSON and always wants post data & I’ve just forgotten that since the last time I did this.