API list_users with Staff API key misses emails

Continuing the discussion from Get user email, emails.json seems not working:

The API documentation for list_users states that the resulting JSON response provides email field. The above discussion mentions that:

Using a Staff API key, when I call client.list_users('staff'), I receive a list of users, but only my entry shows the email field. I would expect the email field to be returned for all users in the list. Otherwise I have to call the API again for each user to retrieve the email.

Since I have a CSV file with names and emails, I can only lookup users via their emails in order to manipulate the records or create new users from the incoming list. This makes the job just a bit tedious and error prone.

In general I think that emails should be available either in clear for Staff, or as a SHA256 Hash, maybe with some salt that would prevent arbitrary attackers from discovering whether an email is used at this site – although they have other ways to do so, e.g., password reminders or registration. Using a cryptographic hash of the email would allow to check its presence without disclosing it.

Anyway, I think that not having the email value in the user list using a Staff API key is a bug and should be fixed.

In the meantime, once you have the user list, you must iterate through it and call /u/#{username}/emails.json to inject the missing email in the list.

Here’s some code:

module DiscourseApi::API::Users
  def user_email(username)
    response = get("/u/#{username}/emails.json")

staff = client.list_users('staff')
staff.each_with_index do |u, i|
  next unless u['email'].nil?
  staff[i]['email'] = client.user_email(u['username'])

staff.sample['email'].nil? # => false

Try using client.list_users('staff', show_emails: true)

Note that accessing this information will appear in the staff log in the administrator panel.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.