More detailed response for API /post_actions failures

TL;DR; I want to submit a PR for POST /post_actions to be more verbose to an API user in order to reduce time debugging. As of now it only returns a 403 when a user couldn’t act upon a post. Please read the rest of the post.

Today I was working on integrating likes for topics via the Discourse API, and spent too much time debugging the culprit. I was trying to like my post via the Discourse API:

I was doing a POST /post_actions with this payload

{
  "id": 42,
  "post_action_type_id": 2,
  "flag_topic": false
}

as a user with trust level 2 and default Discourse settings for topics/posts; the post was owned by the user making the request, and it always returned a HTTP 403 without any details.

At some point I tried liking the same post as a different API user, and it worked.

So, I figured it had to do something with this line: https://github.com/discourse/discourse/blob/master/app/controllers/post_actions_controller.rb#L13

I fired up byebug and eventually found that the culprit was this line: https://github.com/discourse/discourse/blob/5d9d2cf2871ce127c207f2efa192c2eb2eeb35f2/lib/guardian/post_guardian.rb#L36

I can’t like my own posts via the API… how should I have known? The thing is I would never know via the API. Hence, I want to submit a PR, but my question is:

How would you go on about this?

There’s a lot of logic hidden inside of a method which only returns a boolean value, which doesn’t help the API user a lot: https://github.com/discourse/discourse/blob/5d9d2cf2871ce127c207f2efa192c2eb2eeb35f2/lib/guardian/post_guardian.rb#L6

Paths:

  1. (Simple) When responding with a 403 on Discourse to a request to POST /post_actions, add an additional message “There was an error when trying to act upon the post”
  2. (Fancy) When responding with a 403 on Discourse to a request to POST /post_actions, with an additional message specifying the exact reason of failure.
  3. (Admin only) Add debug outputs to logs about the failure reason. (Seems messy, and the API user still won’t be smarter, but at least an admin would)

Which path makes most sense?

  • Path 1
  • Path 2
  • Path 3
  • Different path…

0 voters

3 Likes

1) doesn’t add any value over the 403. So, if you’re up for it, go for 2) :wink:

3 Likes

Path 2) is challenging… working on a PR :slight_smile:

1 Like

Is there a compelling reason of why the validation of the PostGuardian#post_can_act? isn’t happening within the PostAction#act class method?

/cc @zogstrip @eviltrout

We often enforce things at a higher level. In this case post actions should all be created through the PostActionCreator service object.

3 Likes