Testing discourse in local development, from https://github.com/discourse/discourse master with
./bin/docker/boot_dev --init
./bin/docker/rails s
I get an error when trying to delete a topic as per the API docs with:
$ curl -X DELETE "http://localhost:3000/t/12.json?api_key=xxxx&api_username=robin"
{"errors":["You are not permitted to view the requested resource."],"error_type":"invalid_access"}
In the application logs I see:
D, [2019-02-12T12:38:30.520131 #764] DEBUG -- : Delivering messages [] to client 11cd9108a3584397adf634286781846f for user 1
I, [2019-02-12T12:38:31.123471 #764] INFO -- : Started DELETE "/t/12.json?api_key=[FILTERED]&api_username=robin" for 172.17.0.1 at 2019-02-12 12:38:31 +0000
I, [2019-02-12T12:38:31.182310 #764] INFO -- : Processing by TopicsController#destroy as JSON
I, [2019-02-12T12:38:31.183726 #764] INFO -- : Parameters: {"api_key"=>"[FILTERED]", "api_username"=>"robin", "id"=>"12"}
W, [2019-02-12T12:38:31.185032 #764] WARN -- : Can't verify CSRF token authenticity.
D, [2019-02-12T12:38:31.187818 #764] DEBUG -- : ApiKey Load (0.9ms) SELECT "api_keys".* FROM "api_keys" WHERE "api_keys"."key" = 'f866509cc1675d306ea53f0038c189668d8b71c31b022be43807f2fc96b41c8d' ORDER BY "api_keys"."id" ASC LIMIT 1
D, [2019-02-12T12:38:31.190743 #764] DEBUG -- : User Load (0.9ms) SELECT "users"."id", "users"."username", "users"."created_at", "users"."updated_at", "users"."name", "users"."seen_notification_id", "users"."last_posted_at", "users"."password_hash", "users"."salt", "users"."active", "users"."username_lower", "users"."last_seen_at", "users"."admin", "users"."last_emailed_at", "users"."trust_level", "users"."approved", "users"."approved_by_id", "users"."approved_at", "users"."previous_visit_at", "users"."suspended_at", "users"."suspended_till", "users"."date_of_birth", "users"."views", "users"."flag_level", "users"."ip_address", "users"."moderator", "users"."title", "users"."uploaded_avatar_id", "users"."locale", "users"."primary_group_id", "users"."registration_ip_address", "users"."staged", "users"."first_seen_at", "users"."silenced_till", "users"."manual_locked_trust_level" FROM "users" WHERE "users"."username_lower" = 'robin' LIMIT
1
D, [2019-02-12T12:38:31.194786 #764] DEBUG -- : Topic Load (1.0ms) SELECT "topics"."id", "topics"."title", "topics"."last_posted_at", "topics"."created_at", "topics"."updated_at", "topics"."views", "topics"."posts_count", "topics"."user_id", "topics"."last_post_user_id", "topics"."reply_count", "topics"."featured_user1_id", "topics"."featured_user2_id", "topics"."featured_user3_id", "topics"."avg_time", "topics"."deleted_at", "topics"."highest_post_number", "topics"."image_url", "topics"."like_count", "topics"."incoming_link_count", "topics"."category_id", "topics"."visible", "topics"."moderator_posts_count", "topics"."closed", "topics"."archived", "topics"."bumped_at", "topics"."has_summary", "topics"."archetype", "topics"."featured_user4_id", "topics"."notify_moderators_count", "topics"."spam_count", "topics"."pinned_at", "topics"."score", "topics"."subtype", "topics"."slug", "topics"."deleted_by_id", "topics"."participant_count", "topics"."word_count", "topics"."excerpt", "topics"."pinned_globally", "topics"."pinned_until", "topics"."fancy_title", "topics"."highest_staff_post_number", "topics"."featured_link" FROM "topics" WHERE ("topics"."deleted_at" IS NULL) AND
"topics"."id" = 12 LIMIT 1
D, [2019-02-12T12:38:31.197756 #764] DEBUG -- : Category Exists (0.7ms) SELECT 1 AS one FROM "categories" WHERE "categories"."topic_id" = 12 LIMIT 1
I, [2019-02-12T12:38:31.199614 #764] INFO -- : Completed 403 Forbidden in 15ms (Views: 0.1ms | ActiveRecord: 3.4ms)
I’m guessing “Can’t verify CSRF token authenticity” is the relevant bit here. But I don’t know how to obtain a CSRF token, and I assume it shouldn’t be needed anyway when authenticating with an API key, similar to other authenticated endpoints.
Is there any way around this?