"Delete Spammer" from "Flag" menu returns 403, doesn't work

Happening on hosted discourse https://forum.ionicframework.com/ all the time:

  • I see a spam post of a new user.
  • Click “…” and then “Flag” icon
  • Mark “It’s spam”
  • Click “Delete spammer” button
  • Get 403 response from backend for email.json:


Can we repro this @eviltrout?

I could not reproduce this one. @Sujan can you provide any more details? For example are you a moderator or an admin when you do this?

I reported the same issue here:


In short, this is only an issue for moderators when the show_email_on_profile site setting is turned off which is the default.


Yes, I am a moderator.
https://meta.discourse.org/t/delete-spammer-on-admin-flags-doesnt-work-for-mods-if-show-email-on-profile-setting-is-turned-off/66785?u=osama&source_topic_id=73975 does look relevant.

Aha does that help narrow it down @eviltrout?

I just tried this as a moderator and clicked delete spammer from the modal and it worked fine. Also @Osama in that topic @zogstrip says he fixed it back in July? Is it not fixed?

Hi Robin

@zogstrip’s commit fixed a related issue, but doesn’t seem to have fixed this very particular issue because I’m able to reproduce it everytime I attempt on my dev install (it’s on absolute latest).

Did the account has admin rights as well as moderator rights? If so then the admin rights need to be revoked to be able reproduce this bug. And was the show_email_on_profile setting disabled? If these two conditions are met, you should be able to reproduce this.

I’m sure this has something to do with permissions to view emails. See X-Discourse-Route in response headers:

1 Like

I am not sure why I wasn’t able to reproduce it before but I managed to do it this morning (3rd time is the charm?).

Here’s a fix:



This topic was automatically closed after 31 hours. New replies are no longer allowed.