Fixed REST API: Unable to create an alert that isn't coming from a specific user

Affected version
2.2.5

Jake B.

Well-known member
When using a super admin key to create an alert through the API you'll get a 403 Forbidden response if you don't pass an XF-Api-User which makes it a requirement to have an alert that is coming from a specific user rather than having a system / anonymous alert

Example request:

Code:
curl --request POST \
  --url http://xf22.localhost/api/alerts \
  --header 'Content-Type: multipart/form-data; boundary=---011000010111000001101001' \
  --header 'XF-Api-Key: byCs5d7gUrp7l0S1PLnnyJwEOXRT2L5P' \
  --form to_user_id=1 \
  --form alert=test

Same with

Code:
curl --request POST \
  --url http://xf22.localhost/api/alerts \
  --header 'Content-Type: multipart/form-data; boundary=---011000010111000001101001' \
  --header 'XF-Api-Key: byCs5d7gUrp7l0S1PLnnyJwEOXRT2L5P' \
  --form to_user_id=1 \
  --form alert=test \
  --form from_user_id=0

Workaround:

Diff:
diff --git a/src/XF/Api/Controller/Alerts.php b/src/XF/Api/Controller/Alerts.php
index 8131dab0e..b9a7efcdf 100644
--- a/src/XF/Api/Controller/Alerts.php
+++ b/src/XF/Api/Controller/Alerts.php
@@ -21,7 +21,9 @@ class Alerts extends AbstractController
             $this->assertApiScopeByRequestMethod('alert');
         }
 
-        $this->assertRegisteredUser();
+        if (strtolower($action) != 'post') {
+            $this->assertRegisteredUser();
+        }
     }
 
     /**
 
Last edited:

XF Bug Bot

XenForo bug fixer bot
Staff member
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.6).

Change log:
Allow alerts to be sent via an API super user key without a registered user.
There may be a delay before changes are rolled out to the XenForo Community.
 
Top