Allow for pre-registration of fully activated accounts via API without user interaction

nordize · 2017-04-03 16:41:53 UTC

Using 1.8.0.beta9. I’m doing:

curl -d "api_key=<snip>&api_username=system&username=USER&name=USER&email=USER@example.com&password=1fe2fdd3b3939b8755a073557c74c0f5&approved=true&active=true" https://discuss.example.com

Note the &active=true which according to the API docs, should get me an activated user: Discourse API Docs

But it never activates the user, and it always sends an activation email, the json reply is always:

{"success":true,"active":false,"message":"\u003cp\u003eYou're almost done! We sent an activation mail to \u003cb\u003eUSER@example.com\u003c/b\u003e. Please follow the instructions in the email to activate your account.\u003c/p\u003e\u003cp\u003eIf it doesn't arrive, check your spam folder, or try to log in again to send another activation mail.\u003c/p\u003e","user_id":44}

I’ve tried with &active=1 too, no luck.

I did read other threads on here, which were saying I should activate them by doing a second API call to /admin/users/{USER_ID}/activate.json? but that doesn’t help me at all because the activation email was already sent … and it’s the very thing I want to avoid.

This sounds like a bug (either the code or the API docs).

codinghorror · 2017-04-03 04:59:04 UTC

I believe this was the source of a massive security hole we patched a while back, so it may not be enabled any more. Do you remember @sam?

sam · 2017-04-03 13:05:09 UTC

There was an issue where anon were able to register activated accounts which was severe. But I guess the fix here did not account for admins registering accounts on behalf of other users.

Agree we should add this facility for admin API but we would need to be super duper careful here.

nordize · 2017-04-03 15:27:20 UTC

I would be happy for now if it didn’t send any activation email (at least as an option). I’m happy to make a 2nd call to /admin/users/{USER_ID}/activate.json as a working compromize. But currently the problem is that the 1st call always sends an activation email to the user regardless. That’s why I posted this as a bug.

sam · 2017-04-03 16:19:29 UTC

It is somewhere between “missing feature” and “bug”. Semantics aside do you care to submit a PR to add support for pre-staging of activated accounts via the API.

Note, in general we do not notice people asking for this cause they just opt to use SSO when they need this level of control.

watchmanmonitor · 2017-04-03 16:37:07 UTC

I love having SSO as an option to our SaaS app, but have many people in the forum who aren’t members.

Once this is working, we’ll totally start making people like this. Same goes for a second instance where we handle membership in wordpress, but want to literally create people… not just wait for them to sign up.

nordize · 2017-04-03 16:38:25 UTC

I’d love to help but I’m currently up to my eyeballs with work (which I’m actually paid for)

I use Discourse on a private forum for sensitive stuff so all this stuff is important to us. No SSO. Only installed it last week and it grew on me, hence taking the time to report things while testing …

sam · 2017-04-03 16:42:22 UTC

Fair enough, added #pr-welcome here, clarified what is being asked for in topic title.