Can I manage "Admin", "Moderator" privileges and "Active" status via REST?


(Roarke Lynch) #1

I’d like to be able to modify if a user has admin and moderator privileges as well as a user’s active status through REST. I’ve watched the requests from the admin panel and found the endpoints, but it is not behaving as expected.

These are the paths and verbs I’ve tried. I’ve included the appropriate api_key and api_username query params as well. I keep getting 403’d.

Grant User Admin Privileges
PUT /admin/users/USER_ID/grant_admin

Remove User Admin Privileges
PUT /admin/users/USER_ID/revoke_admin

Grant User Moderator Privileges
PUT /admin/users/USER_ID/grant_moderation

Remove User Moderator Privileges
PUT /admin/users/USER_ID/revoke_moderation

Activate User
PUT /admin/users/USER_ID/activate

Deactivate User
PUT /admin/users/USER_ID/deactivate


(Felix Freiberger) #2

What api_username and whose api_key did you send, exactly?


(Roarke Lynch) #3

Those will change based on your instance. I used a shared account that was granted admin privileges along with the shared API key generated from /admin/api.


(Felix Freiberger) #4

Did all requests return 403? Did you try to modify a developer account from a “normal” admin account? (I’m not sure whether this is allowed.)


(Roarke Lynch) #5

Yes, I got 403 from all requests. I tried using an admin api_username to change accounts with no admin privileges. I also tried generating an API key specific to the admin api_username account. The results remained the same.


(Kane York) #6

If you impersonate the user you created, are you able to grant or revoke admin privileges? I know that admin privs have some weird permissions…


(Roarke Lynch) #7

@riking I went to check out your suggestion and everything was working, which is very odd. We did switch to HTTPS-only in the interim. That may have had an impact. One way or the other I am keeping a watchful eye on our integration code to make sure that our systems continue to play nicely with Discourse.


(Neil Lalonde) #8

That sounds like the problem. Try creating an API key for an admin user, and using that user’s username in the api_username parameter and its key in api_key. (or you said you tried that?)

Maybe try the discourse_api gem if you’re comfortable with ruby? The credentials are set here.


(Roarke Lynch) #9

Unfortunately the problem resolved itself as we switched over to HTTPs. I can’t replicate the error anymore. I had tried to use both the all-user API key and an admin-user-specific API key with the same results earlier.

We didn’t have access to ruby for the integration, it was all PHP.