Deleting User via API results in 403


#1

Hi,

I’m wanting to delete a user via the API but have run into a 403 problem. I’ve looked at the documentation found here but still seem to be getting errors. I am able to execute other Admin requests and they succeed, but deletes do not work.

My request looks as follows:

DELETE {{base_url}}/admin/users/56.json?api_username={{api_username}}&api_key={{api_key}}

The {api_key} was generated on an Admin user and the {api_username} matches that of the user.

When I execute the request I get a response of:

{
    "errors": [
        "You are not permitted to view the requested resource."
    ],
    "error_type": "invalid_access"
}

However using the same {api_key} and {api_username} when I make a request to anonymize the user as follows:

PUT {{base_url}}/admin/users/56/anonymize/?api_username={{api_username}}&api_key={{api_key}}

The response back I get is:

{
    "success": "OK",
    "username": "anon12987334"
}

Am I just missing something simple here?


#2

Do you get anything in your logs output? From there you can also see what’s coming through and any other errors


#3

Looking into my production.log I can see the following, note I removed my IP and replaced it with {BLOCKED_IP} that’s not actually part of the log.

Started DELETE "/admin/users/56.json?api_username=mattbr&api_key=[FILTERED]" for {BLOCKED_IP} at 2018-04-20 13:42:42 +0000
Processing by Admin::UsersController#destroy as JSON
  Parameters: {"api_username"=>"mattbr", "api_key"=>"[FILTERED]", "id"=>"56"}
Can't verify CSRF token authenticity.
Completed 403 Forbidden in 8ms (Views: 0.1ms | ActiveRecord: 4.0ms)

#4

After playing around I believe I found the reason behind this, it isn’t actually a CSRF error. I am running my server on AWS EC2 and using AWS S3 for hosting attachments, avatars, etc.

I looked into the AWS IAM policy and realized I only gave my policy GET and PUT permissions but not DELETE object. After updating, waiting for it to re-populate and testing I no longer get 403 errors.

However, I do still have issues with deleting some users, the discussion for that can be found here:


(Blake Erickson) #5

I was able to duplicate this error in my local env when trying to delete a user that has posts.

What you need to do is delete_all_posts first, then delete the user.

request = Net::HTTP::Put.new("/admin/users/#{id}/delete_all_posts.json?api_key=#{client.api_key}&api_username=#{client.api_username}")
response = http.request(request)
request2 = Net::HTTP::Delete.new("/admin/users/#{id}.json?api_key=#{client.api_key}&api_username=#{client.api_username}")
response2 = http.request(request2)

I totally think the error message returned by the api should be improved when trying to delete a user that has posts. I’m pretty sure an actual “cannot delete a user with posts” error shows up if you use the UI.


#6

As an example I have a test user with multiple posts, if I attempt to delete them with the API I get the You are not permitted... error.

When I delete their posts with the endpoint you’ve provided, then attempt to delete them it works perfectly fine.

However, I still have a couple of users who do not have any activity on them, no posts, topics, personal messages. When I try to delete them it will not go through and results in a 500 Internal Server Error.

From the production.log I can see the following

Started DELETE "/admin/users/8911.json?api_key=[FILTERED]&api_username=mattbr" for {BLOCKED_IP} at 2018-04-20 19:38:15 +0000
Processing by Admin::UsersController#destroy as JSON
  Parameters: {"api_key"=>"[FILTERED]", "api_username"=>"mattbr", "id"=>"8911"}
Can't verify CSRF token authenticity.
Completed 500 Internal Server Error in 278ms (ActiveRecord: 86.4ms)
Aws::S3::Errors::AccessDenied (Access Denied)

I am using AWS S3 and will play around with policies on there as that may somehow tie into this issue.


(Blake Erickson) #7

ahh okay, I didn’t see this line in your previous posts. So yea might be something s3 related.