Found this out while writing a request to change the tags on a topic.
Basically, this doesn’t work:
PUT /t/123.json?api_username=...&api_key=...
{
tags: ['a']
}
The server responds with:
403
{
"errors": [
"You are not permitted to view the requested resource."
],
"error_type": "invalid_access"
}
However, if you put the topic slug on the URL, everything works fine (i.e. PUT /t/why-arent-there-better-animals/123.json?api_username=...&api_key=...
)
This is inconsistent with the other topic API methods which do not require a slug, and differs from the behavior described in the API documentation: Discourse API Documentation
1 Like
riking
(Kane York)
September 24, 2016, 12:09am
2
Does it work if you use a wrong slug?
2 Likes
fefrei
(Felix Freiberger)
September 27, 2016, 10:06am
3
I’m pretty sure the answer is No , based on previous testing, but I don’t have the time to reproduce this right now.
1 Like
blake
(Blake Erickson)
September 27, 2016, 12:21pm
4
Yes it appears that you need the slug to be present to make the PUT request on topics and you can use the wrong slug and it will work fine.
See my demo:
4 Likes
riking
(Kane York)
September 27, 2016, 4:47pm
5
Okay, so just hardcode a slug of a single dash
4 Likes
That’s fine for a workaround but it’s still a bug.
1 Like
How is that a bug and not required syntax?
To work as expected routing depends on URLs to be in a certain format.
So this seems more like “change the way the API works with improper URLs” feature request than a bug to me.
3 Likes
Well, none of the other topic API methods require that, so I’d call it a bug.
2 Likes
Put differently, why is it reasonable for GET /t/:topicId
to work and DELETE /t/:topicId
to work and PUT /t/:topicId
to not work?
4 Likes
I edited the original topic to clarify why this is a bug, but I’d like to highlight that the API documentation itself states that this should work:
Discourse API
Please view the Discourse API Documentation site for detailed info:
https://docs.discourse.org
Deprecation Warning!
On April 6th, 2020 we dropped support for all non-HTTP header based authentication (excluding some rss, mail-receiver, and ics routes). This means that API requests that have an api_key and api_username in the query params or in the HTTP body of the request will soon stop working. Please see the example cURL request below for how to update your API requ…
I think my previous point is relevant as well.
2 Likes
sam
(Sam Saffron)
September 28, 2016, 8:45am
11
This does not meet our definition of bug but I am totally fine for a PR that cleans this up cause it would simplify the API.
2 Likes