What is the purpose of the created_by parameter when creating a new comment?

Tomasz_Zarna · October 9, 2020, 9:48am

The doc about creating new stories/comments describes the payload to be used to create a new story. The description includes a parameter called “created_by” but I don’t quite understand its purpose.

The “name” field is “Read-only except when same user as requester”, but why setting the field if omitting it gives the same result = the comment will be created by the current user.

Trying to create a comment with the param set I keep getting 400 Bad Request and a message saying “created_by: Cannot write this property”.

What do I miss?

Tomasz_Zarna · October 16, 2020, 10:16am

The official Java client doesn’t seem to use the parameter either. The javadoc for creating new stories (comments) says “the comment will be authored by the currently authenticated user”. I’m confused why the param is even mentioned in the documentation.

Any thoughts?

Phil_Seeman · October 16, 2020, 1:08pm

Hey @Ross_Grambo can you help with info about this created_by parameter? Thanks!

Ross_Grambo · October 16, 2020, 8:43pm

This is a bug. Created By is not a writable field.

You can stop reading now, but if you’re curious, here’s the context why it’s there:

Basically the docs are generated from our schema defined in the OpenAPI spec. OpenAPI specs can’t reference another schema while adding a modifier. The definition is something like:

created_by: 
  ref: "User_Schema"

When it really should be:

created_by: 
  ref: "User_Schema"
  read-only: true

But that’s not currently supported. There is a work around we do in a few places and I must have missed this one when making those changes. I’ll make a task to do that workaround here too.

@Tomasz_Zarna thank you for calling this out!

Ross_Grambo · October 16, 2020, 8:55pm

This should now be resolved!

Tomasz_Zarna · October 19, 2020, 7:44am

Thanks @Ross_Grambo for the explanation. Makes total sense.

Does this mean Asana doesn’t support impersonating another user to create a story? At least currently. Which is totally fine, I just want to check if I didn’t miss any other way of achieving this.

This should now be resolved!

I confirm. The piece of doc that confused me is gone.

Ross_Grambo · October 19, 2020, 4:25pm

Currently, no . The most common patterns I see is to use whoever oauthed with your app, or use a PAT from a bot user.

Tomasz_Zarna · October 19, 2020, 4:41pm

That’s fine, thanks for confirming.