Forum Discussion

jeffshurtliff's avatar
jeffshurtliff
Boss
4 years ago

Unable to publish message on behalf of another user

I have created a custom endpoint wherein a new TKB article gets published to one of our product boards as a product advisory, which is triggered by a member of the respective product team via a custo...
  • DougS's avatar
    DougS
    4 years ago

     

    Hi jeffshurtliff ,

    Let me reply to your last 2 questions:

    Is there a way to force the directives above to select one session key over another, or is there perhaps a different directive/method to leverage instead to publish the post within the endpoint?

    There is no way (to my knowledge) to pass a different session key from your freemarker template and have that override the session id of the currently authenticated user. We do allow you to pass either the Li-Api-Session-Key header or the restapi.session_key parameter to your endpoint call and it will use that session key to authenticate the user.

     

    Is there maybe a different way that the author can be specified by the Community APIs when creating a new message?  For example, if I pass "author": {"type": "user", "id": "12345"} in the payload when creating the message will that specify the author or will it be ignored?

    If the user you are authenticated as has the "Switch User" permission, then you can pass the "author": { "type": "user", "id": "12345" } and it should set the user for the id you've passed as message author (assuming that id maps to a valid user) instead of using the currently authenticated user as the author.

    I hope that helps.

    -Doug

jeffshurtliff's avatar
jeffshurtliff
Boss

Hi DougS,

Thank you for the detailed response in this thread, and particularly around your suggestions regarding error reporting macros, which is super useful.

Unfortunately I think you may have misinterpreted the primary ask and a few details in my original post:

  • What I'm ultimately trying to do is "ghostwrite" a message for another author.  For example, allowing the admin user JohnDoe to publish a TKB article that shows the author as JaneDoe rather than himself.  (To be even more specific, we want to publish release notes and other content under a generic "ProductTeam" user account rather than our product management team having to publish content under their own names.)
  • I am not having credentials passed at all via custom endpoint, and instead the getSessionKey function referenced above is a private function called within the endpoint just to generate a valid session key to use in the "ghostwritten" message creation.
  • The functions above are not the entire custom endpoint but are just small fragments of it.  The full endpoint can only be executed by an authenticated user belonging to specific roles, leverages CSRF tokens, etc. to prevent unauthorized API calls, and as mentioned does not request any credentials or other sensitive data over the wire.
  • The primary issue with which I need help is that whenever I use the restrestadmin or restBuilder directives and supply a valid session key in the header or as a query parameter, the provided session key is always trumped by my own and the messages are still always show me (or whoever calls the endpoint) as the message author rather than the account associated with the supplied session key.
    • Is there a way to force the directives above to select one session key over another, or is there perhaps a different directive/method to leverage instead to publish the post within the endpoint?
    • Is there maybe a different way that the author can be specified by the Community APIs when creating a new message?  For example, if I pass "author": {"type": "user", "id": "12345"} in the payload when creating the message will that specify the author or will it be ignored?

 

I hope this helps to clarify things.

Thanks again!

DougS's avatar
DougS
Khoros Oracle
4 years ago

 

Hi jeffshurtliff ,

Let me reply to your last 2 questions:

Is there a way to force the directives above to select one session key over another, or is there perhaps a different directive/method to leverage instead to publish the post within the endpoint?

There is no way (to my knowledge) to pass a different session key from your freemarker template and have that override the session id of the currently authenticated user. We do allow you to pass either the Li-Api-Session-Key header or the restapi.session_key parameter to your endpoint call and it will use that session key to authenticate the user.

 

Is there maybe a different way that the author can be specified by the Community APIs when creating a new message?  For example, if I pass "author": {"type": "user", "id": "12345"} in the payload when creating the message will that specify the author or will it be ignored?

If the user you are authenticated as has the "Switch User" permission, then you can pass the "author": { "type": "user", "id": "12345" } and it should set the user for the id you've passed as message author (assuming that id maps to a valid user) instead of using the currently authenticated user as the author.

I hope that helps.

-Doug