Request: separate API granular API scope for 'suspend user"

This is hopefully a small one. I would like to have a script which runs periodically and automatically suspends users whose accounts are disabled, locked, or otherwise removed in our centralized account system.

This is easily done through the API Discourse API Docs. However, there appears to be no granular API scope covering just this. Since there are scopes for Delete and Anonymize, hopefully this would not be too hard to add.

With this limitated scope, compromise of this key could let someone be annoying — but not incredibly disruptive otherwise.

3 Likes

There is already an suspend user scope unless I don’t understand you correctly.

1 Like

Hi Ethan (or is it not-ethan?). There is an API endpoint. What I am looking for is an authorization scope for the corresponding API key. I want to be able to create an API key which can only access this endpoint.

Take a look in the admin user interface. You will find something like this. (It continues on down the page with some more, but no “suspend” in the user section, unless I am missing something.)

2 Likes

I am anybody but Ethan.


I believe the scope would be updating users.

This is not possible. The closes is granting update user but that would also allow for other things like silencing (de)activating and other things I belive.

I am not sure if the “update” endpoint and scope even cover this. But, yes, right — this would be too broad. Hence the request.

4 Likes

Thanks for bringing this up @mattdm!

I just created a PR that adds the api scope for suspending users.

Pending any feedback it should get merged in soon.

5 Likes