API経由でのメール更新不可：invalid_accessエラー

Hi Guys,

Im getting an error when trying to use the API to update email.
I have looked at the logs and can see the following:

Started PUT “/discussion/users/davetest/preferences/email.json” for xx.xx.xx.xx at 2018-05-11 12:22:11 +0000

Processing by UsersEmailController#update as JSON

Parameters: {“api_key”=>;"[FILTERED]", “api_username”=>;“daveAdmin”, “email”=>;“[new.email@example.com](mailto:new.email@example.com)”, “username”=>;“davetest”}

Can’t verify CSRF token authenticity.

This is a PUT request, but looking at the scopes below, doesnt seem like PUT is supported for the WRITE scope? surely im misunderstanding, so could someone please assist?

I have re-generated the all-user api-key, also created specific user api-keys to use, but same result.

SCOPES = {
read: [:get],
write: [:get, :post, :patch],
message_bus: [[:post, ‘message_bus’]],
push: nil,
notifications: [[:post, ‘message_bus’], [:get, ‘notifications#index’], [:put, ‘notifications#mark_read’]],
session_info: [[:get, ‘session#current’], [:get, ‘users#topic_tracking_state’]]
}

Can you verify the content-type that you are making the API request as? It needs to be

"Content-Type: multipart/form-data;"

If it is not that content type you may see the CSRF token error.

Hi, thanks for the reply.
I actually had tried it both with ‘application/json’ and ‘application/x-www-form-urlencoded’ and neither worked. I have now tried it with what you suggested (via postman) and getting:

“You are not permitted to view the requested resource. The API username or key is invalid.”

I have regenerated the global api key that is used for “all users” and using it with my own username, which is an admin too…

shahid

Here is an example of my postman request maybe you can spot any differences with what you are doing? I’m also using the “all users” key with an admin username.

image.png1036×550 45.7 KB

yes, its the same, im using the Postman API collection supplied by discourse. So using it as suggested. I will try again tonight and see if i get any different results. Will update when ive tried. Thanks for assisting, much appreciated. Do let me know if you have any other idea.

I’m experiencing this issue too and I’m wondering if it has anything to do with using an oauth provider for signing in and so this specific page is being blocked?

It most likely isn’t the oauth provider because the api keys will bypass it.

Could you share the code for your API request?

in python:

import json
import requests
import time

my_token = ''

url_base = '<>'
update_email = url_base + "users/<my_username>/preferences/email.json"

headers = {
    "Content-Type": "multipart/form-data",
    'user-agent': 'my-app/0.0.1',
    'Api-Key': my_token,
    'Api-Username': '<my_username>'
}

data = {
  "email": "<new_email>"
}

response = requests.put(update_email, data=data, headers=headers)

print(response.text)

Edit: very similar code for setting groups on users etc worked, so the key / username combo (which is a user with admin privileges) works.

Edit 2: I’m guessing from other browsing in the forum that this has to be done directly in the database, (or rather, via the console) which is impossible for us.

Any more thoughts on this? My feeling is that someone with admin access rights should be able to set the e-mail of a person.

How so? I don’t think this is possible with the existing web UI, which defines the API. Therefore it can’t be done.

You mean that the UX/API should make it possible to set a user’s email address to whatever you want. (Not that you believe that it is currently possible.)

You can initiate a change (via UX and I presume API) by editing their profile and entering the new address, but it won’t be changed until they click the link in their email. Is that good enough? If not, you’ll need to do it from the console or a plugin.

Exactly.

Whenever I enter something in the UX for editing the e-mail (which I can only access through the direct URL i.e. https://<discourse>/u/<username>/preferences/email, there is no link through the user’s profile) it pops up that I can’t do this after clicking on “Change”:

And this is on my own account as an admin. I don’t get an e-mail.

私も今、この段階に到達しました…

@pfaffman: プロフィールでメールアドレスを変更できることはおっしゃっていましたが、email editable が設定されている必要があるのですね？

管理者または管理用 API 呼び出しで、ユーザー自身がメールアドレスを変更できる場合を除き、メールアドレスの変更を開始する方法はないと聞きました。ユーザーによる変更を許可する場合、確認メールを送信し、変更をユーザーが承認する必要があるのは確かですが、それで問題ありません。

私のユースケースは、ユーザーを別のアプリから API を介して管理したいというものです。そのため、Discourse 上ではユーザー自身がメールアドレスを変更できないようにしたいと考えています。

Single Sign Onを実装し、他のアプリをログインのソースとして設定することは可能でしょうか？

ご要望の機能を実現する sso overrides email という特定の SSO 設定があります。SSO が設定されていれば、sync_sso エンドポイントを使用して新しいメールアドレスを渡すことができます。

@blake さん、ありがとうございます。それは挑戦的ですが、楽しいですね

Discourse からパスワードを Identity Hub にインポートしないといけないなんて…おやまあ。

私の元のシナリオには、3 段階の手順で対応しました。メールの編集を有効化し、メールアドレスの変更を開始し、メールの編集を無効化する、というものです。少し大げさな気もしますが、機能しています。

SSO のシナリオについても考えてみます。