Go Back   vb.org Archive > vBulletin 5 Connect Discussion > vB5 Programming Discussions
  #1  
Old 04-13-2020, 05:30 PM
elieseif elieseif is offline
 
Join Date: Apr 2020
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default no_permission when creating user through mobile API

SOLVED: See posts #4 and #5

The call to api.init generates the required access token, client id, secret, and api version, but the call to user.save is returning an no_permission error.
Using vBCloud 5.6.0

Here's the code snippet to api.init:
PHP Code:
$requestparams = array(
'api_m' => 'api.init',
'clientname' => 'Client',
'clientversion' => '1.0',
'platformname' => 'Platform',
'platformversion' => '1.0',
'uniqueid' => 'XXXX'
);

// cURL
$url 'https://myforum.com/api.php';
$ch curl_init($url);
curl_setopt($chCURLOPT_POST1);
curl_setopt($chCURLOPT_POSTFIELDShttp_build_query($requestparams));
curl_setopt($chCURLOPT_RETURNTRANSFERtrue);
$curl_response curl_exec($ch);
curl_close($ch);

$curl_response_array json_decode($curl_response,true);

// API
$apiaccesstoken $curl_response_array['apiaccesstoken'];
$apiclientid $curl_response_array['apiclientid'];
$apisecret $curl_response_array['secret'];
$apiversion $curl_response_array['apiversion']; 
And the call to api.save:
PHP Code:
// User
$user = array(
'username' => "Test",
'email' => "test@test.com",
'usergroupid' => "14"
);

// Sort GET params by key
ksort($user);

// The HTTP GET params for an API method
// (without api related params except api_m. see below)
$requestparams = array(
'api_m' => 'user.save',
'userid' => '0',
'password' => '123',
'user' => $user,
'options' => '',
'adminoptions' => '',
'userfield' => ''
);

// Sort GET params by key
ksort($requestparams);

// The correct signature is the md5 value of $data + accesstoken + clientid + secret + apikey
// (all can be fetched from api_init except apikey
// -- this is a value specific to the vB site you are trying to connect to and can be found in the admincp)
$requestparams_string http_build_query($requestparams);
$apisignature md5($requestparams_string.$apiaccesstoken.$apiclientid.$apisecret.$apikey);

$requestparams['api_s'] = $apiaccesstoken;
$requestparams['api_sig'] = $apisignature;
$requestparams['api_v'] = $apiversion;

// cURL
$url 'https://myforum.com/api.php';
$ch curl_init($url);
curl_setopt($chCURLOPT_POST1);
curl_setopt($chCURLOPT_POSTFIELDShttp_build_query($requestparams));
curl_setopt($chCURLOPT_RETURNTRANSFERtrue);
$curl_response curl_exec($ch);
curl_close($ch);

$curl_response_array json_decode($curl_response,true); 
Here's the generate query string for the api.save call (I've replaced the hash strings with XXX):
HTML Code:
adminoptions=&api_m=user.save&options=&password=123&user%5Bemail%5D=test%40test.com&user%5Busergroupid%5D=14&user%5Busername%5D=Test&userfield=&userid=0&api_s=XXX&api_sig=XXX&api_v=560
Adding api_c to the user.save method call generates in invalid_api_signature. Otherwise, it's a no_permission error. Also tried logging in as administrator before creating a user and still got the no_permission error.

There's very little documentation on the API, any help would be appreciated?
Thanks
Reply With Quote
  #2  
Old 04-13-2020, 08:50 PM
shka shka is offline
 
Join Date: Mar 2016
Posts: 79
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Without login?

Just a guess: api.init, user.login2,api.init (on first page of api docs is written - needed after .login, but after login2?), and then user.save
Reply With Quote
  #3  
Old 04-13-2020, 09:11 PM
elieseif elieseif is offline
 
Join Date: Apr 2020
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I tried logging in as Administrator after api.init and before api.save, and got both session and cpsession hashes so login was successful, but api.save still gives no_permission.
I also tried calling api.init again after user.login2, no change.

That said, whenever I include api_c in login2 or save method calls, I get "invalid_api_signature". If I remove api_c and keep api_s, api_sig and api_v, I am able to login, but user.save gives the no_permission error.

At this point, I'm out of ideas.
Reply With Quote
  #4  
Old 04-15-2020, 12:28 PM
shka shka is offline
 
Join Date: Mar 2016
Posts: 79
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yepp, api docs are really bad. Solution is the security token getting by login call.
Following example works in my local xammp dev enviroment. I've used loginSpecificUser but also login2 is possible. After login fetchCurrentUserinfo and get username (to check if correct login) and securitytoken.

After that an example for adding an post and adding a user.

You need to change apikey, urlapibase, userid and password for userid

PHP Code:
<?php

$requestparams 
= array(
'api_m' => 'api.init',
'clientname' => 'Muschebuhbuh',
'clientversion' => '1.0',
'platformname' => 'Muschebuhbuh',
'platformversion' => '1.0',
'uniqueid' => 'test123'
);

$urlapibase 'http://localhost/forum/api.php'//replace with your url, but don't use .../core/api.php

// cURL
$url $urlapibase;
$ch curl_init($url);
curl_setopt($chCURLOPT_POST1);
curl_setopt($chCURLOPT_POSTFIELDShttp_build_query($requestparams));
curl_setopt($chCURLOPT_RETURNTRANSFERtrue);
$curl_response curl_exec($ch);
curl_close($ch);

$curl_response_array json_decode($curl_responsetrue);
// API
$apiaccesstoken $curl_response_array['apiaccesstoken'];
$apiclientid $curl_response_array['apiclientid'];
$apisecret $curl_response_array['secret'];
$apiversion $curl_response_array['apiversion'];

$apikey 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'//replace with your generated api key from admincp
echo '-------------- first init -----------------';
echo 
'apiaccesstoken : ';
var_dump($apiaccesstoken);
//echo 'curl_response_array : ';
//var_dump($curl_response_array2);


// you can use also user.login or user.login2, but with other params
$requestparams = array(
    
'api_m' => 'user.loginSpecificUser',
    
'userid' => 1,                      // change userid for login
    
'passwords' => array(
        
'password' => 'xxxxxxx',       // password for userid
        
'md5password' => md5('xxxxx'),  //same password
        
'md5password_utf' => ''
    
),
    
'extraAuthInfo' => array(
        
'mfa_authcode' => ""
    
),
    
'logintype' => 'cplogin'
);
ksort($requestparams);
$requestparams_string http_build_query($requestparams);
$url $urlapibase.'?'.$requestparams_string;
$apisignature md5($requestparams_string.$apiaccesstoken.$apiclientid.$apisecret.$apikey);

$requestparams['api_s'] = $apiaccesstoken;
$requestparams['api_sig'] = $apisignature;
$requestparams['api_v'] = $apiversion;
$requestparams['api_c'] = $apiclientid;

// cURL
define("COOKIE_FILE""cookie.txt");

$ch curl_init($url);
curl_setopt($chCURLOPT_COOKIEJARCOOKIE_FILE);
curl_setopt($chCURLOPT_COOKIEFILECOOKIE_FILE);
curl_setopt($chCURLOPT_POST1);
curl_setopt($chCURLOPT_POSTFIELDShttp_build_query($requestparams));
curl_setopt($chCURLOPT_RETURNTRANSFERtrue);
$curl_response curl_exec($ch);
$curl_response_array json_decode($curl_responsetrue);
curl_close($ch);


$remember_me $curl_response_array['password'];
$sessionhash $curl_response_array['sessionhash'];
$cpsession $curl_response_array['cpsession'];

echo 
'-------------- login user -----------------';
echo 
'curl_response_array : ';
var_dump($curl_response_array);
// echo 'remember_me : ';
// var_dump($remember_me);
// echo 'sessionhash : ';
// var_dump($sessionhash);
// echo 'cpsession : ';
// var_dump($cpsession);



// fetch User Info
$requestparams = array(
    
'api_m' => 'user.fetchCurrentUserinfo'
);
ksort($requestparams);
$url =  $urlapibase.'?'.http_build_query($requestparams);
$requestparams_string http_build_query($requestparams);
$apisignature md5($requestparams_string.$apiaccesstoken.$apiclientid.$apisecret.$apikey);

$requestparams['api_s'] = $apiaccesstoken;
$requestparams['api_sig'] = $apisignature;
$requestparams['api_v'] = $apiversion;
$requestparams['api_c'] = $apiclientid;


// cURL
$ch curl_init($url);
curl_setopt($chCURLOPT_POST1);
curl_setopt($chCURLOPT_POSTFIELDShttp_build_query($requestparams));
curl_setopt($chCURLOPT_RETURNTRANSFERtrue);
curl_setopt($chCURLINFO_HEADER_OUTtrue);
$curl_response curl_exec($ch);
$information curl_getinfo($ch);
curl_close($ch);

$curl_response_array json_decode($curl_responsetrue);
echo 
'--------------- fetch user info ----------------';
//echo 'header information : ';
//var_dump($information);
//echo 'curl_response_array : ';
//var_dump($curl_response_array);
echo 'username : (should be the logged in username)';
var_dump($curl_response_array['username']);
echo 
'securitytoken : ';
var_dump($curl_response_array['securitytoken']);

$securitytoken $curl_response_array['securitytoken'];



// Content add
$requestparams = array(
    
'api_m' => 'content_text.add',
    
'data' => array(
        
'rawtext' => "Content for Content_Title 14",
        
'title' => "Content_Title 14",
        
'parentid' => 3,
        
'userid' => 1
    
),
    
'options' => array()
);

ksort($requestparams);
$url =  $urlapibase.'?'.http_build_query($requestparams);
$requestparams_string http_build_query($requestparams);
$apisignature md5($requestparams_string.$apiaccesstoken.$apiclientid.$apisecret.$apikey);

$requestparams['api_s'] = $apiaccesstoken;
$requestparams['api_sig'] = $apisignature;
$requestparams['api_v'] = $apiversion;
$requestparams['api_c'] = $apiclientid;
$requestparams['securitytoken'] = $securitytoken;

// cURL
$ch curl_init($url);
curl_setopt($chCURLOPT_POST1);
curl_setopt($chCURLOPT_POSTFIELDShttp_build_query($requestparams));
curl_setopt($chCURLOPT_RETURNTRANSFERtrue);
curl_setopt($chCURLINFO_HEADER_OUTtrue);
$curl_response curl_exec($ch);
$information curl_getinfo($ch);
curl_close($ch);

$curl_response_array json_decode($curl_responsetrue);
echo 
'------------ content add -------------------';
//echo 'header information : ';
//var_dump($information);
echo 'curl_response_array : ';
var_dump($curl_response_array);



// User
$user = array(
    
'username' => "Test4",
    
'email' => "test4@test.com",
    
'usergroupid' => "2"
);

ksort($user);
$requestparams = array(
    
'api_m' => 'user.save',
    
'userid' => '0',
    
'password' => '123',
    
'user' => $user,
    
'options' => '',
    
'adminoptions' => '',
    
'userfield' => ''
);
ksort($requestparams);
$url =  $urlapibase.'?'.http_build_query($requestparams);
$requestparams_string http_build_query($requestparams);
$apisignature md5($requestparams_string.$apiaccesstoken.$apiclientid.$apisecret.$apikey);

$requestparams['api_s'] = $apiaccesstoken;
$requestparams['api_sig'] = $apisignature;
$requestparams['api_v'] = $apiversion;
$requestparams['api_c'] = $apiclientid;
$requestparams['securitytoken'] = $securitytoken;

// cURL
$ch curl_init($url);
curl_setopt($chCURLOPT_POST1);
curl_setopt($chCURLOPT_POSTFIELDShttp_build_query($requestparams));
curl_setopt($chCURLOPT_RETURNTRANSFERtrue);
curl_setopt($chCURLINFO_HEADER_OUTtrue);
$curl_response curl_exec($ch);
$information curl_getinfo($ch);
curl_close($ch);

$curl_response_array json_decode($curl_responsetrue);
echo 
'------------ add user -------------------';
//echo 'header information : ';
//var_dump($information);
echo 'curl_response_array : ';
var_dump($curl_response_array);
Reply With Quote
  #5  
Old 04-17-2020, 08:47 AM
elieseif elieseif is offline
 
Join Date: Apr 2020
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Many many thanks. I finally got it to work.

But for anyone who comes across this thread, here's what I discovered.
The call to the api works in GET mode, but not HTTP POST.
It only works in POST mode if you provide the full url with the query parameters in the url and not only as CURLOPT_POSTFIELDS

Both my version of the code and yours work when the HTTP call is modified accordingly, so there was need to fetch the admin and the security token after logging in. The sequence is api.init ---> api.login2 ---> api.save

This is clearly a bug in the api!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:00 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04368 seconds
  • Memory Usage 2,321KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_html
  • (3)bbcode_php
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (5)post_thanks_box
  • (5)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (5)post_thanks_postbit_info
  • (5)postbit
  • (5)postbit_onlinestatus
  • (5)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete