BAD CSRF Response When Trying to Delete User by API


(Justin Dennis) #1

I am trying to delete a user by API following the docs.

We use SSO, which seems to make the API require a cookie header coming from SSO authentication. I got past that, and as long as I supply the cookie, other types of actions work fine by GET. But the DELETE results in this “BAD CSRF” error.

Maybe a bug? I don’t even know where to begin troubleshooting this. Any help appreciated.


(Jeff Atwood) #2

Are you using an API key for this action? It is required.


(Justin Dennis) #3

Yes. I’ve tried both the generic one for “system” and my own, as an admin. I have been passing these as GET or POST parameters along with the cookie.


(Sam Saffron) #4

Hmmm, where is this at? Did it get resolved?


(Justin Dennis) #5

No, and I really need to get it working. I’ve not tried again since May 19. If there are updates affecting this functionality, should I try again? Thank you very much for the follow-up.


(Simon Cossar) #6

I have tested deleting users through the API on a live hosted site with SSO enabled. I’m using Postman to make the API request. It is deleting users for me. The response is {"deleted": true}. The all_users API key and API username need to be included in the body of the request.

One thing I have found is that sending the parameter "block_email": false actually causes the email address to be blocked. Sending the parameter "block_ip": false also blocked the IP address the first time I made the request. After allowing the IP address through Admin/Logs/Screened IPs, subsequent requests sending the "block_ip": false parameter did not block the IP address.

Edit: I just did a quick test with this on my local dev environment. Setting the block_email and block_ip params to false causes these two code blocks to be run. I’ve tested this both with Postman, and making the request with curl. If neither of those params are set, everything works as it should.