HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

How to change the password of the user in API v2?

Hi everybody,

I use the VanillaForum with my own application, as well as my own user administration. Via API I create a new user in the forum. This works very well. However, I cannot change the password of this user afterwards. Is this still a missing feature or is there a reason why this function is not available?





  • Options
    R_JR_J Ex-Fanboy Munich Admin

    There is no endpoint dedicated to that, as far as I can see. But the AuthenticateApiController has a post_password() method which can be used to check if the "old password" info is correct.

    Afterwards, with the UsersApiController patch() method, you should be able to set the new password. But I assume that all the password strength checks will not be applied.

    By the way: in order to use the authentication API you need to enable it by setting a "feature flag" in the config. Add the following line to /conf/config.php: $Configuration['Feature']['AuthenticationAPI']['Enabled'] = true;

  • Options
    R_JR_J Ex-Fanboy Munich Admin

    Oh and by the way: I'm super interested in seeing what you have done. It would be great if you could share what you have done. If this is not possible here in public, at least some screenshots via PM would be nice 😉

  • Options

    I'm on the correct way that you mean this endpoint?

    PATCH /users/{id} Update a user.

    There is no attribute for password.

    And the AuthenticateApiController is this a new endpoint?

  • Options
    R_JR_J Ex-Fanboy Munich Admin

    Sorry, I haven't done very much with the API or REST Apis as such. But based on the examples I would say you need something like that:

    curl -X PATCH "blablabla/api/v2/users/42" -H "accept: application/json" -H "Content-Type: application/json" -H "x-transient-key: whatever" -d "{\"password\":\"rumpelstilzchen\"}"

    Not sure about the authenticate API age... If it is important for you, you would have to do some investigations on GitHub

  • Options

    can u please tell me how to get the user API for Vanilla forum

  • Options

    You can find them in Settings -> Technical -> API

    Yes, that's what I was thinking. But it's not working :( Maybe I have to read the source code. Thanks for your help

  • Options
    R_JR_J Ex-Fanboy Munich Admin

    I would start by trying to change something which is in the example: "emailConfirmed" from true to false or the other way around. If that's working you could try to set the password. But if it is not working you have to dig into why you cannot even set emailConfirmed.

  • Options

    I changed the username of my Testuser with this endpoint. Everything works fine. Password still the old one.

  • Options
    R_JR_J Ex-Fanboy Munich Admin

    The ApiController uses the UserModel->save() method. That method fires the BeforeSave event. Write a simple plugin with the following method:

    public function userModel_beforeSave_handler($sender, $args) {
        Gdn::set('debug-'.time(), dbencode($args['Fields']));

    That will log in the table GDN_UserMeta what is saved by the UserModel. First thing you should do is to see if the password is still in there.

    This simple snippet works, so I wouldn't know any reason why using the patch method shouldn't work...

    $user = Gdn::userModel()->getByUsername('Kunz');
       'UserID' => $user->UserID,
       'Password' => 'KunzPasswort'

    But it's really all guessing around from my side, sorry

  • Options

    Seems to be a bug. In the userPatchSchema is the field 'password?' missing. If I add this it will work.

  • Options
    R_JR_J Ex-Fanboy Munich Admin

    But maybe that is also intended (for whatever reasons).

    You should better create a plugin and extend the controller class, overwrite the userPatchSchema and use your custom controller for resetting the password.

Sign In or Register to comment.