Suspended, inactive and blocked user with API key can still create topics

bug
1

User is configured like this:

Pasted image1143×378 55.1 KB

Inactive and suspended, yet I am still able to create topic with following code:

@data = {
  skip_validations: true,
  auto_track: false,
  title: "test",
  raw: "test"
}
resp = client.create_topic(@data)

Is this intended behavior? On the other hand category security settings are respected.

What I am trying to achieve: I have open source project with simple ruby script that downloads latest topics from some particular discourse instance and converts that to a static web site.
I would like to commit this API key for read only user, so everyone can clone this repo and start their work.

Is there any other way to achieve this(read-only user with api access)?

Thanks

Edit: It also doesn’t work when user is blocked

4 Likes
2

Only API is allowed to do this. We never intended to allow API usage to general public, if you suspend a user you must revoke their keys.

Hmmm, for read only access you don’t need any API key, all the json endpoints work fine without it.

3

Probably Ok to add a check here in API for suspended user, but this seems like a super freakish edge case to me…

Perhaps the suspend action could auto revoke any API keys this user holds?

5 Likes
4

Thanks for tip @sam, problem is gone.

Revoking api keys on suspend/block/deactivate would be far more intuitive.

5

That’s now done :rat:

https://github.com/discourse/discourse/commit/73624e63c52f915c1530d29a965cee9d0ae2de7d

3 Likes