XF 2.2 is_banned field missing from API response XF 2.2.1?


Using XF 2.2.1 and the is_banned field is missing from the auth/from-session endpoint as well as the others like auth/users/{id}

I tried using a superuser key as well as a user key with a superuser as the user id. All API key scopes are also enabled.

What else could I be doing wrong?


XenForo developer
Staff member
Just to reiterate an important idea of the API: every API access is done as a particular XenForo user. A super user API key just means that it can access the API as any user (the XF-Api-User header), but what content is returned is based on what that user can actually see. If you use a super user API key but don't pass that header in, you'll only return content that a guest can view. This is important, for example, because if we don't apply this and you fetched the latest threads, you may end up inadvertently fetching content in private forums. However, it extends throughout the API usage.

Guests can't see whether a user is banned or a user's email address, for example. Seeing whether a user is banned is connected to bypassing a user's privacy controls, which is a moderator level permission. Seeing a user's email address is only exposed to admins with the ability to access the users section of the control panel.

Setting the bypass permissions option essentially just skips all of these user-specific checks, so you'll get a completely full set of data, regardless of the permissions on the context user. It does make sense in a lot of super user key accesses -- essentially when you're doing internal processing -- though it isn't applicable to every context. Given the power this can have (like leaking information the user shouldn't have access to), it makes sense for it to be an opt-in.