There either needs to have a SETTING for turning off confirmation emails or confirmation emails for revoke admin, because I set up something to modify admin through API and CANNOT functionally use it using the system and lost admin on my own account because of this, as well as several others, because it requires an email confirmation, which system didn’t have an email for confirmation somehow? and because revoke absolutely doesn’t need one.
I would most prefer if there was a setting to turn off confirmation on an API basis.
I’ve just tested this out on my own site. Revoking admin status via the API is done by making a PUT request to https://forum.yourdomain.com/admin/users/<user_id>/revoke_admin. When I try this, admin status is revoked and no email confirmation is required. I’m finding a couple of issues with the response that Discourse sends for this request though.
If the user does have admin status, I’m getting an empty response instead of a success message when I revoke their admin status via the API.
If the user does not have admin status, I get an HTML response if the PUT request is made to https://forum.yourdomain.com/admin/users/<user_id>/revoke_admin and an invalid access error if I make the request to https://forum.yourdomain.com/admin/users/<user_id>/revoke_admin.json.
It would be good to get informative success and failure messages for this route.
I’m not sure about allowing admin status to be granted without a confirmation email. The way it currently works is intended to supply an extra layer of security.
Exactly the problem with revoke not needing one and giving it does. If you’re not aware of it, then you can revoke ALL admins on accident from your discourse and have 0 recourse to add them…
If you’re going to make one REQUIRED to have something to verify, the other also should have a verify.
There is also no ability to turn off this verification so you can just grant admin through api directly if you have an admin that has all power.