More detailed response for API /post_actions failures

kennym · April 25, 2017, 12:44am

TL;DR; I want to submit a PR for POST /post_actions to be more verbose to an API user in order to reduce time debugging. As of now it only returns a 403 when a user couldn’t act upon a post. Please read the rest of the post.

Today I was working on integrating likes for topics via the Discourse API, and spent too much time debugging the culprit. I was trying to like my post via the Discourse API:

I was doing a POST /post_actions with this payload

{
  "id": 42,
  "post_action_type_id": 2,
  "flag_topic": false
}

as a user with trust level 2 and default Discourse settings for topics/posts; the post was owned by the user making the request, and it always returned a HTTP 403 without any details.

At some point I tried liking the same post as a different API user, and it worked.

So, I figured it had to do something with this line: https://github.com/discourse/discourse/blob/master/app/controllers/post_actions_controller.rb#L13

I fired up byebug and eventually found that the culprit was this line: https://github.com/discourse/discourse/blob/5d9d2cf2871ce127c207f2efa192c2eb2eeb35f2/lib/guardian/post_guardian.rb#L36

I can’t like my own posts via the API… how should I have known? The thing is I would never know via the API. Hence, I want to submit a PR, but my question is:

How would you go on about this?

There’s a lot of logic hidden inside of a method which only returns a boolean value, which doesn’t help the API user a lot: https://github.com/discourse/discourse/blob/5d9d2cf2871ce127c207f2efa192c2eb2eeb35f2/lib/guardian/post_guardian.rb#L6

Paths:

(Simple) When responding with a 403 on Discourse to a request to POST /post_actions, add an additional message “There was an error when trying to act upon the post”
(Fancy) When responding with a 403 on Discourse to a request to POST /post_actions, with an additional message specifying the exact reason of failure.
(Admin only) Add debug outputs to logs about the failure reason. (Seems messy, and the API user still won’t be smarter, but at least an admin would)

Which path makes most sense?

Path 1
Path 2
Path 3
Different path…

0 voters

zogstrip · April 25, 2017, 7:47am

1) doesn’t add any value over the 403. So, if you’re up for it, go for 2)

kennym · April 25, 2017, 4:40pm

Path 2) is challenging… working on a PR

kennym · April 25, 2017, 5:45pm

Is there a compelling reason of why the validation of the PostGuardian#post_can_act? isn’t happening within the PostAction#act class method?

/cc @zogstrip @eviltrout

eviltrout · April 25, 2017, 6:07pm

We often enforce things at a higher level. In this case post actions should all be created through the PostActionCreator service object.

Topic		Replies	Views
Getting who liked a post from the API dev	7	2499	May 18, 2022
How can you like a specific post through the API? dev rest-api	3	767	April 20, 2022
Create topic using Discourse API dev rest-api	3	637	November 3, 2022
Is there a way to post as an arbitrary user when creating a new post/topic using the Discourse API? support	9	1036	May 11, 2017
Like button does not work on archived topics bug reactions	24	1081	August 23, 2022

More detailed response for API /post_actions failures

Related Topics