API list_users with Staff API key misses emails

Continuing the discussion from Get user email, emails.json seems not working:

The API documentation for list_users states that the resulting JSON response provides email field. The above discussion mentions that:

Using a Staff API key, when I call client.list_users('staff'), I receive a list of users, but only my entry shows the email field. I would expect the email field to be returned for all users in the list. Otherwise I have to call the API again for each user to retrieve the email.

Since I have a CSV file with names and emails, I can only lookup users via their emails in order to manipulate the records or create new users from the incoming list. This makes the job just a bit tedious and error prone.

In general I think that emails should be available either in clear for Staff, or as a SHA256 Hash, maybe with some salt that would prevent arbitrary attackers from discovering whether an email is used at this site – although they have other ways to do so, e.g., password reminders or registration. Using a cryptographic hash of the email would allow to check its presence without disclosing it.

Anyway, I think that not having the email value in the user list using a Staff API key is a bug and should be fixed.

In the meantime, once you have the user list, you must iterate through it and call /u/#{username}/emails.json to inject the missing email in the list.


Here’s some code:

module DiscourseApi::API::Users
  def user_email(username)
    response = get("/u/#{username}/emails.json")
    response.body['email']
  end
end

staff = client.list_users('staff')
staff.each_with_index do |u, i|
  next unless u['email'].nil?
  staff[i]['email'] = client.user_email(u['username'])
end

staff.sample['email'].nil? # => false

Try using client.list_users('staff', show_emails: true)

Note that accessing this information will appear in the staff log in the administrator panel.

6 Likes