HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

How to retrieve last n inserted users via API

Hello everybody, I'm trying to retrieve the last registered users to print a little widget in the homepage of my website.

I'm perfectly able to retrieve the last n discussions via ajax through "/api/v2/discussions?limit=4", but I am not able to sort in anyway the users, not even filtering via dates, .


returns the first 12 users from the table, but I want to get the last ones.

I tried with the dataInserted param, but no luck at all so far.

Any help?

Thanks in advance.

vanilla version: 2.8.4



  • R_JR_J Ex-Fanboy Munich Admin

    You should update to a version without know security issues. If you do, you would find that piece of information in the API description:




    When the user was created. This filter receive a string that can take two forms. A single date that matches '{Operator}{DateTime}' where {Operator} can be =, <, >, <=, >= and, if omitted, defaults to =. A date range that matches '{Opening}{DateTime},{DateTime}{Closing}' where {Opening} can be '[' or '(' and {Closing} can be ']' or ')'. '[]' are inclusive and '()' are exclusive.

    The current version allows e.g. /api/v2/users?page=1&limit=5&dateInserted=(2019-06-13,2019-12-14).

  • Hello @R_J thanks for your suggestion.

    Actually I already read that piece of info in the docs, and tried to apply, and I didn't manage to make dateInserted param to work.

    I tried also your example, and the result is:

        "message": "Validation Failed",
        "status": 422,
        "errors": [
                "field": "name",
                "code": "missingField",
                "path": "[0].roles[1]",
                "status": 422,
                "message": "item[0].roles[1].name is required."
            [... omissis...]

    Do you know what does this mean?

    Thanks again!

  • edited November 2019

    Sorry, probably I'm doing it wrong.

    A bit of context: since I want the data to be displayed on a page outside of the forum (but on the same domain), I need to retrieve the data even if there is not active session on the forum.

    The response in the previous comment was returned without the usage of the authorization token, but now I've implemented it directly into my ajax call after generating it through the panel.

    The result is on this image.

    What's wrong with what I am doing?

    How can I retrieve the list of the last registered users?

    Why does the "discussions" endpoint works as expected instead?


  • R_JR_J Ex-Fanboy Munich Admin

    Discussion works as expected because that endpoint is "public": I assume you don't need any permissions at all to view that data. Fetching discussions therefore isn't an indicator if authentication is working properly

    You have said, that you were able to fetch users, but that the dateInserted parameter did not work. But you've also said, that you are on version 2.8.4... Look at /applications/dashboard/controllers/api/UserApiController.php if the "dateInserted" is already implemented in your version. If not, you know the reason why you can't make it work.

    If it is already implemented in 2.8.4 but it is not working, well, I don't want to be impolite but I personally would think it is a waste of time implementing a feature into an old and insecure installation when an update would be enough (and is highly recommended anyway). Sorry.

    That said, if you insist on your old installation and need to get that list of users, ask yourself if that information must be requested in exactly that way. Writing a plugin which provides that information is trivial. That's one option.

    If your version of the UserApiController already has the rows

           // Allow addons to modify the result.
           $result = $this->getEventManager()->fireFilter('usersApiController_indexOutput', $result, $this, $in, $query, $rows);
           return new Data($result, ['paging' => $paging]);

    You should be able to write a plugin which transforms the result :

       public function usersApiController_indexOutput_handler($input) {
           // Write the result to UserMeta to inspect it
           Gdn::set('debug_filter', dbencode($input));
           $output = some array magic to transform $input
           return $output;

    But in that case you would have to intercept the request to ensure that the filter is only applied when you are requesting that information and not for every request, since that could damage the functionality of your forum

  • Hello @R_J , thanks for your detailed thoughts, much appreciated.

    Indeed version 2.8.4 has the class and the snippets you mentioned.

    I know this is an "old" version, but the last minor release with a security fix was made in June, not 2 years ago.

    At first I wanted to upgrade to 3.2 in the last weeks (I know version 3.3 was released recently) but since I had several problems on upgrading from my previous versione (2.3.1), I decided to try with the last release of the major 2, and despite a few problems everything is now working as expected, .. except for the argument of this thread.

    After that I also discovered that my production env has got PHP 7.1 and MySQL 5.5, and upgrade the server is not an option, so I hope that 3.3 requires those at minimum if I try again to upgrade (this time from 2.8.4 and not 2.3.1). I'm pretty sure I'm ok with PHP, but do not have an idea with MySQL. [update: just find here: https://docs.vanillaforums.com/developer/installation/self-hosting/; I should have problems I guess]

    I guess I'll give the update another try, just to follow the right steps instead of trying a different path like developing a plugin.

    Thanks again.

  • R_JR_J Ex-Fanboy Munich Admin

    my production env has got PHP 7.1 and MySQL 5.5, and upgrade the server is not an option

    Security support only until December 1st 😕

    Looks like upgrading will become a bigger issue for you in the very near future. I would recommend to try updating into a test installation. There are no problems that couldn't be solved while upgrading

  • I won't bother you with the reason why I cannot (at the moment) upgrade the server (all developer/client/provider boring stuff), but I will say that I definitely agree with you.

    I'll try to upgrade to the latest release at least in dev and see if the problem vanishes, and post back here to update the thread.


  • R_JR_J Ex-Fanboy Munich Admin
    edited November 2019

    If you are not able to update soon, you can still write a plugin, it is really super simple! Write a plugin with just one method like that (totally untested but should be quite complete):

      public function pluginController_getUsers_create($sender, $args) {
           if (Gdn::request()->isPostBack() === false) {
               throw new \Exception('Requires POST', 405);
           $postData = Gdn::request()->post();
           // Don't wat to expose the data?
           $secret = 'OhSoSecret!Rubbish:345r047rovrf708v70v078z4378z834783470';
           if ($postData['secret'] !== $secret) {
               throw permissionException();
           // Fetch 100 last users - you have to know if that's enough
           $users = Gdn::userModel()->get('UserID', 'desc', 100, 0)->resultArray();
           $userNames = [];
           foreach ($users as $key => $user) {
               if ($user->DateInserted >= $postData['dateInserted']) {
                   $userNames[] = $user->Name;
           header('Content-Type: application/json');
           echo json_encode($userNames);

    After you have activated such a plugin you could post secret=(that monster from above or whatever you've set there)&dateInserted=2019-11-01 to yourforum.com/plugin/getusers and in return get the new users.

  • Hello @R_J , thank you very much, I managed to create a little plugin following your instruction and the documentation and at the moment I was able to implement the widget as I wanted.

    Now I can focus on the other issue regarding the dev server specifications.

    Thanks again for your support!

Sign In or Register to comment.