Fixed REST API: Unable to create an alert that isn't coming from a specific user

[Jake B.]

Affected version

2.2.5

When using a super admin key to create an alert through the API you'll get a 403 Forbidden response if you don't pass an XF-Api-User which makes it a requirement to have an alert that is coming from a specific user rather than having a system / anonymous alert

Example request:

curl --request POST \
  --url http://xf22.localhost/api/alerts \
  --header 'Content-Type: multipart/form-data; boundary=---011000010111000001101001' \
  --header 'XF-Api-Key: byCs5d7gUrp7l0S1PLnnyJwEOXRT2L5P' \
  --form to_user_id=1 \
  --form alert=test

Same with

curl --request POST \
  --url http://xf22.localhost/api/alerts \
  --header 'Content-Type: multipart/form-data; boundary=---011000010111000001101001' \
  --header 'XF-Api-Key: byCs5d7gUrp7l0S1PLnnyJwEOXRT2L5P' \
  --form to_user_id=1 \
  --form alert=test \
  --form from_user_id=0

Workaround:

diff --git a/src/XF/Api/Controller/Alerts.php b/src/XF/Api/Controller/Alerts.php
index 8131dab0e..b9a7efcdf 100644
--- a/src/XF/Api/Controller/Alerts.php
+++ b/src/XF/Api/Controller/Alerts.php
@@ -21,7 +21,9 @@ class Alerts extends AbstractController
             $this->assertApiScopeByRequestMethod('alert');
         }
 
-        $this->assertRegisteredUser();
+        if (strtolower($action) != 'post') {
+            $this->assertRegisteredUser();
+        }
     }
 
     /**

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.6).

Change log:

Allow alerts to be sent via an API super user key without a registered user.

There may be a delay before changes are rolled out to the XenForo Community.