Problem updating user custom_fields created by a plugin

A bit of backstory: In August of 2018, I was tasked with creating a plugin for Discourse to add a few custom_fields to the User model. A bit of code hackery later, and a working plugin was created, as well as a ruby script to make a PUT request to update the custom fields via the API. Then I was reassigned to work on other things.

Fast forward to the present, and I am tasked with ensuring the plugin and associated code will work properly. The first thing I did was access the server running dockerized discourse, and update the server and discourse. The app was then rebuilt.

I then ran the test script and it failed to update the custom fields but it did return a 200 status. Checking the production log of discourse shows that the parameters are being received. however the log also states “Can’t verify CSRF token authenticity.”

Any advice to help debug the issue would be greatly appreciated

1 Like

Are you using a valid API key in the request? CSRF protection is in place for all requests (except GET), so you will need to use an API key to make the the PUT request succeed.


Yes, I am using the API key for user “system”


Can you share how you are making the request? What API endpoint are you calling?

assuming “key” is defined in the script
the end point is: https://HOSTNAME/users/jezra?api_key=${key}&api_username=system
and I’m attempting to use curl at the moment

curl -X "PUT" $url \
  --header "Content-Type: application/json" \
  --data  '{ "custom_fields": { "my_custom_field_name":"0" }}'

is the message about CSRF indicative of a bad api key?

Yes, the CSRF error would suggest a bad API key. The other issue you may be running into is that we added some protection for user custom fields back in September 2018. If you want to be able to edit them from the API, you now need to add something like

register_editable_user_custom_field :my_preference

in your plugin. You can find more details on that here: Add a custom per-user setting in a plugin


My plugin definitely is using the older “register_custom_field_type” method. I will update my plugin, rebuild the app, and then report back.


:+1: note that you still want to keep register_custom_field_type. register_editable_user_custom_field should be added in addition.

Also, this would not explain the CSRF error, but maybe that was a red herring.


After adding register_editable_user_custom_field to my plugin, everything is happily working as expected. Thanks!

The production log is still showing the CSRF message when updating via the API; so indeed a red herring.