Which validations can be bypassed and how when using the API to create topics/posts

Isambard · March 13, 2024, 10:39pm

Which validations can you bypass and how? I’m trying to use API to post and am hitting things like:

Entropy too low
Topic too short
Body too similar

The problem is, it is hard to know what other checks might be caught and so I just stop when I hit one, abort and run again.

pfaffman · March 14, 2024, 7:03pm

If you’re importing more than a few posts from an existing database then you should use a migration script.

There’s a skip_validations parameter you can pass in Ruby, but I don’t know if you can pass it with the API.

But also, do you really want to create a bunch of short posts that have very few different characters and are just like other posts? There are site settings for those that you can change if you search site settings for those words (entropy, minimum post length, min title similar length or allow duplicate titles)

Arkshine · March 14, 2024, 10:40pm

Yes, that should work (WP-Discourse uses it, for example)

github.com

discourse/discourse/blob/main/app/controllers/posts_controller.rb#L821


      
              end
            end
          end
          
          # param munging for WordPress
          params[:auto_track] = !(params[:auto_track].to_s == "false") if params[:auto_track]
          params[:visible] = (params[:unlist_topic].to_s == "false") if params[:unlist_topic]
          
          if is_api?
            # php seems to be sending this incorrectly, don't fight with it
            params[:skip_validations] = params[:skip_validations].to_s == "true"
            permitted << :skip_validations
          
            params[:import_mode] = params[:import_mode].to_s == "true"
            permitted << :import_mode
          
            # We allow `embed_url` via the API
            permitted << :embed_url
          
            # We allow `created_at` via the API
            permitted << :created_at

Isambard · March 19, 2024, 12:12am

I think there is a bug in the skip validations.

When I use skip validations to create a Topic, this works and it is possible for user to create a topic in a category even if normally he would have no rights to do so.

However, when trying to reply to that same topic, the validation check is not skipped and this post create fails.

Arkshine · March 20, 2024, 9:04pm

Can you elaborate on what post validations you are referring to exactly? What errors do you get?

simon · March 20, 2024, 10:46pm

Are you sure about that? My understanding is that skip_validations does what it says it does in the options section that’s at the bottom of post_creator.rb:

github.com

discourse/discourse/blob/main/lib/post_creator.rb#L37


      
          #                               :raw_html - Perform no processing
          #                               :raw_email - Imported from an email
          #   via_email               - Mark this post as arriving via email
          #   raw_email               - Full text of arriving email (to store)
          #   action_code             - Describes a small_action post (optional)
          #   skip_jobs               - Don't enqueue jobs when creation succeeds. This is needed if you
          #                             wrap `PostCreator` in a transaction, as the sidekiq jobs could
          #                             dequeue before the commit finishes. If you do this, be sure to
          #                             call `enqueue_jobs` after the transaction is committed.
          #   hidden_reason_id        - Reason for hiding the post (optional)
          #   skip_validations        - Do not validate any of the content in the post
          #   draft_key               - the key of the draft we are creating (will be deleted on success)
          #   advance_draft           - Destroy draft after creating post or topic
          #   silent                  - Do not update topic stats and fields like last_post_user_id
          #
          #   When replying to a topic:
          #     topic_id              - topic we're replying to
          #     reply_to_post_number  - post number we're replying to
          #
          #   When creating a topic:
          #     title                 - New topic title

It’s primarily used to ignore the constraints that are added through site settings like:

min post length
min body entropy
min topic title length
…

I think it’s also used to ignore posting rate limits.

I didn’t think it allowed users to create topics in categories that they don’t have permission to post in.

Topic		Replies	Views
Guardian bypassed through :skip_validations in TopicCreator but not in PostCreator dev	1	898	March 20, 2024
Rate limits for API users dev rest-api	14	2517	March 14, 2024
Topic duplicate dev	1	442	March 6, 2020
Migrating Content via API hangs after 3 topics support	7	500	March 15, 2020
Failed to post a topic dev rest-api	14	292	October 18, 2023

Which validations can be bypassed and how when using the API to create topics/posts

Related Topics