Invalid Access using Global Key on All users

dev
1

Just noticed this issue today.

Generating an api key for all users with global scopes, then updating a topic will result in an invalid_access

curl --location --request PUT 'https://example.com/t/-/365.json' \
--header 'Api-User: system' \
--header 'Api-Key: ***' \
--header 'Content-Type: application/json' \
--data-raw '{
    "tags": ["awesome-tag"]
}'

{
    "errors": [
        "You are not permitted to view the requested resource. The API username or key is invalid."
    ],
    "error_type": "invalid_access"
}

However if you generate a global api key for the user system, it works: Same request , different key.

curl --location --request PUT 'https://example.com/t/-/365.json' \
--header 'Api-User: system' \
--header 'Api-Key: DIFFERENT_KEY' \
--header 'Content-Type: application/json' \
--data-raw '{
    "tags": ["awesome-tag"]
}'

{
    "basic_topic": {
        "id": 365,
        "title": "Test topic",
        "fancy_title": "Test topic",
        "slug": "test-topic",
        "posts_count": 6
    }
}
2

This should be Api-Username, not Api-User

This header is only used for “all user” api keys, so that’s why it worked when you scoped the key to a specific user.

3

Ah alright, was that changed recently? As I had in mind that the header is Api-User

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.