XF 2.2 Confused about the user profile and permissions returned by the rest api


Dear friends,

I'm using the rest api to develop an app, and I'm a little bit confused with the information returned by the api. I have a clean XF installation in my development environment, that is the user groups and the permissions per group are the default ones, and I have not customized the capabilities of the groups in any way..

Then, If I register a new user, the new user becomes the group "registered", and the registered user can post conversations (I mean, using the web interface). So far so good.

Now, I log in with the rest api with these user credentials and as you know the login endpoints returns the user profile. The "can_converse" field of the user profile is set to false. Also, I understand that this user does not have permission to create conversations when asking the rest api.

Apparently, the rest api answers with different credentials as the normal api. Or am I using the api wrong?

Thank you in advance!

Lukas W.

Well-known member
I'm fairly certain that can_converse is a flag if whether the current user can start a conversation with this user. Since you can't start a conversation with yourself, it'll always be false for you.


Ok, that sounds logical. Thank you for the clarification.

Do you know where I can find the information about what a user can do and not do? There is no endpoint to get the permissions of a group...


Lukas W.

Well-known member
That always depends on what context an object lives in, since different content can have different permissions, you'll always find it attached to the entity result usually. There's no general list.


Thank you very much for your answer, but sadly I still remain confused.

For example, in the case when an user starts a new conversation, the app screen to write the message has to be displayed. It can have a button to add attachments if the user is allowed to, or not. Then we need to know this information before posting the conversation.

I know that after posting the first message, the conversation's endpoint response includes a flag "can_upload_attachment" and it can be used to setup the UI accordingly. But it is a bit too late.

But in the case the user is posting the first message of a conversation, this information is not available. How should it be done then?


XenForo developer
Staff member
This isn't actually something exposed by the API. In general, all of the permission related responses relate to the abilities of the context user in relation to the relevant entity (so can_converse means whether the context user can start a conversation with the user in question; same applies to can_warn and so on).

It's potentially worth a suggestion, though I'm not sure where we would put a response like this, as I don't think it's likely to be appropriate in the user entity (we don't detail the permissions of other users outside of something like the permission analyzer in the ACP and we'd end up with mixed meanings of some of the can_x values returned, which is actually a problem with the user entity already and something we'd like to avoid in the API). Perhaps it could be something extra returned be the me endpoint only.

Otherwise, if it's something you need immediately, you'd need to implement it via an add-on.


Thank you for your answer. It is good to know that I'm not using the api wrong and that this feature is not there.

I'm already working on a way to expand the information returned by the /me endpoint with some fields that I need.

Thank you again for the clarification.


Well-known member
I have to start now with the api.
The only thing i have done till now, is to push data from forum1 to forum2.
My next goal is now that forum1 pulls data from tables of forum2.

You goal is something to create conversations without the forum itself?
Sounds interesting. A whatsapp for mobiles without opening the forum?


@Robert9, thanks for asking.

I'm working on a client app for XF. But I don't like to share many details, because the development of the MVP is not finished yet, and I believe it could bring me bad luck.

Well, seriously speaking, it is not worth talking about it, unless you have something you can show, and I'm still a few months away from that.

If you want to know more, write me a PM.