Can an admin change a user's email address?

I guess the admin would have to use his/her discretion. In this case, the user was, and the entry in the db was {SPACE}, and that leading space apparently matters. So it was pretty clear that I just needed to delete the space and fix an obvious typo.

Also, Discourse should probably trim leading and trailing whitespace, to prevent this obvious mistake.

1 Like

How did that leading space get in there? Did the user enter it?

Actually the user was created via a script calling the /users endpoint in the API, with data entered by the user, so really it’s a validation bug in my script, but probably the API should protect against this as well.

You are probably right given the importance of email. @techAPJ can you make sure the API guards against (strips) extra leading or trailing spaces when entering emails? Perhaps it could be part of the validation steps somehow.


Just pushed a fix:


To come back to the original question, I am trying to achieve the same thing: change a user email. However I am trying to do this via the API.

Looking at the documentation it seems possible via: users/:username/preferences/email

However looking at Discourse code it seems that this will trigger a job to send a confirmation email to the user. Is there a way to change a user email without the user confirmation?

Even if it’s a hacky way, I REALLY need to do it and I would like to avoid changing the value directly in the DB…

That is very risky unless you know with 100% certainty that the email is valid, which implies SSO.

Sometimes I know the email is valid because the user emailed from that address to ask me to change it for them in the system.

1 Like

What I am trying to do is disabling a user and then give the opportunity for this same user to create another account with the same email address. That’s why I need to change/invalidate a user email address.

I know it does not sound like a regular usage of Discourse, just sharing it so that you guys have more context and you might have a different idea on how to achieve this.

I assume they are going to use a different username too? Why not just anonymize the account?


That indeed works! Thank you @cpradio :slight_smile:

Im trying all of the above but im simply not getting the edit pencil come up for changing the email address.
Im using SSO to sign users into discourse and have set email to be editable. Any other config that i maybe missing?

You need to edit the email at the SSO provider, or disable “sso overrides email” to let everyone change their own.

hmm, right, so i cant have SSO and edit ability together at the same time.

I do not want to disable SSO, but want to facilitate for the scenario when admin may have to manually change a users email address via the dashboard.

So my option is to temporarily switch off SSO, make the change and then switch it back on?
I guess the impersonate option being spoken of above will also only work with SSO off?

Or i would have to make the change in the database directly.

No, don’t disable SSO entirely - disable the sso overrides email setting.


sorry, yes thats what i meant :slight_smile:

As forum admin, I like to change the e-mail of a user. The user’s e-mail provider went out of business.

I know the user and the user is authenticated to me by authenticated e-mail (gpg / OpenPGP) so I have no doubts about the legitimacy of the request.

Discourse sends a verification e-mail to the old e-mail address which will never arrive. Hence, e-mail cannot be updated.

Any advice?

If you have access to the site’s rails console, you can change email addresses without triggering a confirmation email.

Enter the docker container and then launch the rails console:

./launcher enter app 
rails c

Then find the user from their current email address:

u = User.find_by_email('')

Then update the email address:

u.update(email: '')

After updating the user’s email address though the command line, go to the Admin / Users page for the user. In the Permissions section of that page, click the ‘Deactivate Account’ button. You will then see two new buttons, ‘Send Activation Email’, and ‘Activate Account.’ Click the ‘Send Activation Email’ button. This will send the ‘Welcome to Discourse!’ email to the new email address. The user can click the link in that email to reaccess their account.

If the user is an Admin, you’ll have to Revoke Admin access first to be able to Deactivate Account.


This works initially but e-mail is subsequently automatically reset to old e-mail address.

User reported “This sends out new account creation confirmation.”

The old e-mail (provider no longer existing) is probably receiving a confirmation mail which the user cannot confirm. Hence, back to square one.

Are you using SSO to log users into Discourse?