Can an admin change a user's email address?


(Joshua Frank) #2

I figured it out, enough to solve my immediate problem anyway.

I’m not sure it’s the best way to solve it, but if I impersonate the user, I can then change the address. I think an admin should probably have this ability, but it doesn’t come up that much, so I can live with this for now.

(Dean Taylor) #3

FYI:This was also recently discussed in a similar topic here although not 100% specific to your question:

(Joshua Frank) #4

Hmm, that thread does show a better way to do it. But why would it make sense to allow an admin to edit the user’s email address from the user’s preferences page (/users/{user}/preferences), but not the admin page for the same user (/admin/users/{user}). Surely the permissions should be the same on both?

However, this is still very helpful, thanks.

(Mittineague) #5

Slightly off-topic, But I’m curious.

As email address is the primary way of establishing a member’s identity, how is one able to know that “member A” is not trying to get at “member B’s” account?

(Joshua Frank) #6

I guess the admin would have to use his/her discretion. In this case, the user was, and the entry in the db was {SPACE}, and that leading space apparently matters. So it was pretty clear that I just needed to delete the space and fix an obvious typo.

Also, Discourse should probably trim leading and trailing whitespace, to prevent this obvious mistake.

(Jeff Atwood) #7

How did that leading space get in there? Did the user enter it?

(Joshua Frank) #8

Actually the user was created via a script calling the /users endpoint in the API, with data entered by the user, so really it’s a validation bug in my script, but probably the API should protect against this as well.

(Jeff Atwood) #9

You are probably right given the importance of email. @techAPJ can you make sure the API guards against (strips) extra leading or trailing spaces when entering emails? Perhaps it could be part of the validation steps somehow.

(Arpit Jalan) #10

Just pushed a fix:

(Sylvain Kalache) #11

To come back to the original question, I am trying to achieve the same thing: change a user email. However I am trying to do this via the API.

Looking at the documentation it seems possible via: users/:username/preferences/email

However looking at Discourse code it seems that this will trigger a job to send a confirmation email to the user. Is there a way to change a user email without the user confirmation?

Even if it’s a hacky way, I REALLY need to do it and I would like to avoid changing the value directly in the DB…

(Jeff Atwood) #12

That is very risky unless you know with 100% certainty that the email is valid, which implies SSO.

(Joshua Frank) #13

Sometimes I know the email is valid because the user emailed from that address to ask me to change it for them in the system.

(Sylvain Kalache) #14

What I am trying to do is disabling a user and then give the opportunity for this same user to create another account with the same email address. That’s why I need to change/invalidate a user email address.

I know it does not sound like a regular usage of Discourse, just sharing it so that you guys have more context and you might have a different idea on how to achieve this.

(cpradio) #15

I assume they are going to use a different username too? Why not just anonymize the account?

(Sylvain Kalache) #16

That indeed works! Thank you @cpradio :slight_smile:

(shahid) #18

Im trying all of the above but im simply not getting the edit pencil come up for changing the email address.
Im using SSO to sign users into discourse and have set email to be editable. Any other config that i maybe missing?

(Kane York) #19

You need to edit the email at the SSO provider, or disable “sso overrides email” to let everyone change their own.

(shahid) #20

hmm, right, so i cant have SSO and edit ability together at the same time.

I do not want to disable SSO, but want to facilitate for the scenario when admin may have to manually change a users email address via the dashboard.

So my option is to temporarily switch off SSO, make the change and then switch it back on?
I guess the impersonate option being spoken of above will also only work with SSO off?

Or i would have to make the change in the database directly.

(Kane York) #21

No, don’t disable SSO entirely - disable the sso overrides email setting.

(shahid) #22

sorry, yes thats what i meant :slight_smile: