FEATURE: Allow drafts to be deleted via the API (#21148)

This PR adds the ability to destroy drafts for a passed user via the API. This was not possible before as this action was reserved for only your personal drafts. If a user is an admin and calls the `#destroy` action from the API they are able to destroy a draft for a passed user. A user can be targeted by passed either their: - username - external_id (for SSO) to the request. In the case you attempt to destroy a non-personal draft and - You are not an admin - You do not access the `#destroy` action via the API you will raise a `Discourse::InvalidAccess` (403) and will not succeed in destroying the draft.
2025-02-25 18:55:32 -06:00 · 2023-04-19 14:41:45 -05:00
parent ff56f403a2
commit a3693fec58
3 changed files with 101 additions and 5 deletions
--- a/app/controllers/drafts_controller.rb
+++ b/app/controllers/drafts_controller.rb
@@ -87,11 +87,25 @@ class DraftsController < ApplicationController
  end

  def destroy
+    user =
+      if is_api?
+        if @guardian.is_admin?
+          fetch_user_from_params
+        else
+          raise Discourse::InvalidAccess
+        end
+      else
+        current_user
+      end
+
    begin
-      Draft.clear(current_user, params[:id], params[:sequence].to_i)
-    rescue Draft::OutOfSequence
-      # nothing really we can do here, if try clearing a draft that is not ours, just skip it.
+      Draft.clear(user, params[:id], params[:sequence].to_i)
+    rescue Draft::OutOfSequence => e
+      return render json: failed_json.merge(errors: e), status: 404
+    rescue StandardError => e
+      return render json: failed_json.merge(errors: e), status: 401
    end
+
    render json: success_json
  end
 end