Mattermost-server: Curl API example not working at all!
Summary
The curl request to test bot accounts reproducibly creates 403 responses https://docs.mattermost.com/developer/bot-accounts.html?highlight=bot#how-can-i-quickly-test-if-my-bot-account-is-working
Steps to reproduce
Version: 5.13
- Create bot user
- Set bot user to Role "System Admin" to ensure it can post everywhere
- Note the created Token secret
- Use the curl request from above documentation and try to create a post into any channel.
Expected behavior
The post will appear in the appropriate channel
Observed behavior (that appears unintentional)
No message appears. The call results in a 403 message.
The entry in the log file is something like this:
{"level":"error","ts":123.456,"caller":"mlog/log.go:172","msg":"You do not have the appropriate permissions","path":"/api/v4/posts","request_id":"xxxxx","ip_addr":"::1","user_id":"yyyyy","method":"
POST","err_where":"Permissions","http_code":403,"err_details":"userId=zzzzzz, permission=create_post"}
Possible fixes
It seems to be mandatory to use the login() API call first!
Use of Python Mattermost Driver is successful.
Simple example:
#!/usr/bin/env python3
from mattermostdriver import Driver
def main():
bot = Driver({
'url': 'localhost', # no firewall, proxy etc.
'token': 'secret_token_of_bot_account',
'port': 8065,
'scheme': 'http', # no SSL issues
'verify': False,
})
bot.login()
my_channel_id = bot.channels.get_channel_by_name_and_team_name(
'my_team',
'My_Channel')['id']
bot.posts.create_post(options={
'channel_id': my_channel_id,
'message': 'We come in peace.',
})
if __name__ == '__main__':
main()
mkesper
All 7 comments
@mkesper Are bot accounts not working on your server in general or is it that the documentation example doesn't work?
amyblais
on 3 Oct 2019
Am 3. Oktober 2019 17:03:45 MESZ schrieb Amy Blais notifications@github.com:
@mkesper Are bot accounts not working on your server in general or is
it that the documentation example doesn't work?--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
https://github.com/mattermost/mattermost-server/issues/12513#issuecomment-537985398
Bots are working fine.
A login api call is mandatory before creating a post, though.
mkesper
on 3 Oct 2019
@mkesper, this appears to be a specific requirement of the python-mattermost-driver:
If using a personal access token, you still need to run login(). In this case, does not make a login request, but a
get_user('me')and sets everything up in the client.
In general, the Mattermost API does not require an explicit login as such -- for example, if you use the Go driver, simply setting the token suffices.
lieut-data
on 4 Oct 2019
And, just to add, I confirmed that this also works with the vanilla curl command without taking any extra login step as required by the python driver.
lieut-data
on 4 Oct 2019
On 04.10.19 17:07, Jesse Hallam wrote:
And, just to add, I confirmed that this also works with the vanilla
curlcommand without taking any extra login step as required by the python driver.
Hi all,
thanks for testing.
This is odd. It did repeatedly not work for me.
I'll investigate again.
mkesper
on 4 Oct 2019
I'll close this issue for now as we haven't received updates for a while. Please re-open this issue with additional relevant information if the problem persists and we will take a further look,
amyblais
on 22 Oct 2019
the problem with the curl example is it doesn't explain how to get the user_id or the channel_id! That is, it's an issue with documentation, i feel.
I made a bot via the menu ->integrations and set up an api key and constantly got permissions errors when trying to do /api/v4/posts Setting up slashcommands and matterbridge was a walk in the park compared to the hours i spent trying to debug this permissions error
curl -i -X POST -H 'Content-Type: application/json' -d '{"user_id": "$MY_BOTS_TOKEN_ID", "channel_id": "botspam", "message": "spammy message"}' -H 'Authorization: Bearer '"$MY_BOTS_ACCESS_TOKEN" https://example.com/api/v4/posts
you have to make your personal access tokens for the user; which you can see the user ID of, and not some random one in the logs you can't see anywhere else on the desktop/browser.
curl -i -H 'Authorization: Bearer '"$USER_PERSONAL_ACCESS_TOKEN" https://example.com/api/v4/users/me
(i guess, some of the instructions say this, "to grant API access")
then run
curl -i -H 'Authorization: Bearer '"$USER_PERSONAL_ACCESS_TOKEN" https://example.com/api/v4/channels
and from this get the channel_id (which i assume are the only channels the literal user has access to?):
{
"id": "wif5fxxxxxxxxxxfjepqqzrmce", <----THIS ONE
...
"team_id": "768888888bg7m8888888akez7a",
"type": "O",
"display_name": "botspam",
"name": "botspam",
"header": "WE ARE HUMAN",
"purpose": "a spam of botspam",
<TRIMMED>
so the final result will look like
curl -i -X POST -H 'Content-Type: application/json' -d '{"user_id": "$LITERAL_USER_ID", "channel_id": "wif5fxxxxxxxxxxfjepqqzrmce", "message": "spammy message"}' -H 'Authorization: Bearer '"$USER_PERSONAL_ACCESS_TOKEN" https://example.com/api/v4/posts
If you try and use the bot integration to do this the userid doesn't match anything and i couldn't get it to work. so i made a new user account and gave it personal access tokens. The entire process, including traversing 3 github issues and at least 6 different mattermost documentation pages took me, as i said, hours.
I'm willing to give Integrations => Bots another whirl, but not today. Probably someone googling this for HTTP/1.1 403 Forbidden and {"id":"api.context.permissions.app_error","message":"You do not have the appropriate permissions." and "status_code":403 might get a bit of reprieve.
genewitch
on 11 Aug 2020
Related issues
jwilander
路
3Comments
jasonblais
路
3Comments
NotSqrt
路
3Comments
esethna
路
3Comments
tumbl3w33d
路
3Comments
Most helpful comment
the problem with the curl example is it doesn't explain how to get the user_id or the channel_id! That is, it's an issue with documentation, i feel.
I made a bot via the menu ->integrations and set up an api key and constantly got permissions errors when trying to do
/api/v4/postsSetting up slashcommands and matterbridge was a walk in the park compared to the hours i spent trying to debug this permissions errorcurl -i -X POST -H 'Content-Type: application/json' -d '{"user_id": "$MY_BOTS_TOKEN_ID", "channel_id": "botspam", "message": "spammy message"}' -H 'Authorization: Bearer '"$MY_BOTS_ACCESS_TOKEN" https://example.com/api/v4/postsyou have to make your personal access tokens for the user; which you can see the user ID of, and not some random one in the logs you can't see anywhere else on the desktop/browser.
curl -i -H 'Authorization: Bearer '"$USER_PERSONAL_ACCESS_TOKEN" https://example.com/api/v4/users/me(i guess, some of the instructions say this, "to grant API access")
then run
curl -i -H 'Authorization: Bearer '"$USER_PERSONAL_ACCESS_TOKEN" https://example.com/api/v4/channelsand from this get the channel_id (which i assume are the only channels the literal user has access to?):
so the final result will look like
curl -i -X POST -H 'Content-Type: application/json' -d '{"user_id": "$LITERAL_USER_ID", "channel_id": "wif5fxxxxxxxxxxfjepqqzrmce", "message": "spammy message"}' -H 'Authorization: Bearer '"$USER_PERSONAL_ACCESS_TOKEN" https://example.com/api/v4/postsIf you try and use the bot integration to do this the userid doesn't match anything and i couldn't get it to work. so i made a new user account and gave it personal access tokens. The entire process, including traversing 3 github issues and at least 6 different mattermost documentation pages took me, as i said, hours.
I'm willing to give
Integrations => Botsanother whirl, but not today. Probably someone googling this for HTTP/1.1 403 Forbidden and{"id":"api.context.permissions.app_error","message":"You do not have the appropriate permissions."and "status_code":403 might get a bit of reprieve.