Forum Discussion

PerBonomi's avatar
PerBonomi
Boss
8 years ago

Send PM from different user - problem

Hi everyone. I created a new non-sso user Using these instructions I generated a session key for that user Created a test endpoint with this code: <#assign session_key = rest("/authentication/ses...
TariqHussain's avatar
TariqHussain
Boss
8 years ago

PerBonomi -

There is no bug in your endpoint code. This is a lithium bug if you will try this call via postman, it will work without any issue.  However inside an endpoint user from is always returned as Anonymous

Below is the response I have got using postman.

 

 

 

 

luk's avatar
luk
Boss
8 years ago
interesting! thanks for the hint
  • PerBonomi's avatar
    PerBonomi
    Boss
    8 years ago

    Changed the code in my endpoint to test different scenarios:

    1:

    <#assign session_key = restadmin("/authentication/sessions/login?user.login=<user>&user.password=<pw>").value/>
<#assign result_send = rest("/boards/id/001/messages/post/?restapi.session_key=${session_key}&message.author=/users/login/sys-admin&message.subject=test&message.body=test")/>

    2:

    <#assign session_key = restadmin("/authentication/sessions/login?user.login=sys-admin&user.password=LittlePinkPig").value/>
<#assign result_send = rest("/boards/id/001/messages/post/?restapi.session_key=${session_key}&message.subject=test&message.body=test")/>

    Open the endpoint without logging in any user:

    1. Error 403

    2. Error 403

     

    Open the endpoint logged in on an admin account:

    1. gets posted as regular user

    2. gets posted as by the admin account

     

    Open the endpoint logged in as regular user, they both error out with a 500

    • VikasB's avatar
      VikasB
      Boss
      8 years ago

      PerBonomi  Give it a shot with restadmin. It would work even in logged out case.  
      In your case session id does not impact to anything. 

      1. You are passing the user login so it is posting by a normal user.  I would work in the same way even you remove the session id. 

      2.  It is posted by admin as you did not pass any user login/id.

      You can use this endpoint as well no need for any type of session generation, just need to pass the user id directly.  

      <#assign escalatesubject = http.request.parameters.name.get("escalatesubject","Here is subject")>
<#assign escalatebody = http.request.parameters.name.get("escalatesubject","Here is body")>
<#assign userid = 100 />

<#assign addPost = restadmin("/boards/id/001/messages/post?message.subject=${escalatesubject?url}&message.body=${escalatebody?url}&message.author=/users/id/${userid}") />

       

      • PerBonomi's avatar
        PerBonomi
        Boss
        8 years ago

        Hey thanks for that. Using the API for other things isn't an issue, I just thought I'd do kind of an AB test to make sure the way I generate the session key is correct :)