I don’t believe the CSRF token is the issue here. Moderated accounts just simply get 403s on many endpoints intentionally, excluding a few like usermoderation (for getting their current moderation status/ban reason/etc).
By the way, the actual header name is X-CSRF-Token, and it usually doesn’t cause a captcha when it’s invalid - it usually comes before the captcha.
I think the actual “bug” here is that support requests are included in the pool of requests that are blocked when your account is moderated. Maybe you could rephrase this as “cannot submit support requests on a moderated account”
For whatever reason, it’s fine when I appealed immediately but a capcha loop the day after. The only thing that gave any clue was that the crsf printed an object as shown in the original post.
You can’t edit a bug report title after the fact so idk
I’m not quite sure what happened, I cannot replicate this bug (not banned) again.
It seems like the sort of thing that might have been missed and may deeply annoy end users.
Yes, I tested while logged in to a permanently banned account. I was able to fill out the captcha and submit the report form and got an email confirmation.