XF 2.2 API Superuser VS Admin

klamm

klamm

Member
Just curious:
If I create a SuperUser-API-Key, the API will not let me DELETE threads or POST to users ... unless I additionally send XF-Api-user (Administrator) with the headers.
Code: 
"errors": [
        {
            "code": "do_not_have_permission",

Shouldn't the SuperUser-API-Key be enough if it has all the permissions?
If I create a Key based on an Administrator with all rights and use this, no XF-Api-user header is neccessary.
 
This is expected as the super user key lets you control the user you access the API as, but there's always a user behind everything. If you don't tell us one, it'll be a guest and thus, by default, you'll have the same permissions as a guest.

This is covered in the docs, as well as the (optional) method for bypassing permissions when using a super user key:

If the API key selected is a super user key, you may pass the user ID of the context user via the XF-Api-User header. If no user ID is passed, the context will default to a guest.

If the request is made with a super user key and you wish to bypass the context user's permissions, this may be done on a per-request basis by setting the api_bypass_permissions parameter to 1. (This can be passed via a query string or as part of the request body.)
Click to expand...
 
You must log in or register to reply here.

Similar threads

mattrogowski
Confusing app_api_validate_request event behaviour
Replies
0
Views
344
mattrogowski
mattrogowski
Fullmental
XF 2.2 Running a delete request on an attachment returns a 405 error. Why?
Replies
8
Views
756
Jeremy P
Jeremy P
M
XF 2.2 Create an option without showing it on the admin options page
Replies
1
Views
395
Jeremy P
Jeremy P
Fullmental
XF 2.2 Using REST API to post a media item, no documentation. Help please?
Replies
4
Views
1K
Schaken
Schaken
B
  • Question Question
XF 2.2 API Get requests working but not Post
Replies
1
Views
1K
bookworm3000
B
Top Bottom