Copied verbatim from: update API to handle CSRF token by spaghetticode · Pull Request #20 · discourse/discourse_api · GitHub
I just debugged through this issue and can confirm the api gem has become a bit of a mess.
Initially when I wrote it all requests (GET,PUT,POST) passed along api_key and api_username.
100 refactors later, we are no longer doing this, so it needs to be done explicitly, people are forgetting (naturally) and the API is messing up.
- api gem MUST always pass api_key and api_username to EVERY (get,put,post) it makes, this must be fixed asap
- examples are mostly bust, the examples folder needs to be fixed with WORKING examples
- a huge oversight is that now there is no posts.rb, so no clean way for creating posts and the like, this must be added asap. Cause this is a mess on about 10 levels:
category: "Boing Boing",
title: "Concert Master: A new way to choose",
raw: "This is the raw markdown for my post",
CSRF thing is a red herring, CSRF bypassing for API works fine, I just confirmed it.
Regarding complaints about update_email being a mess, the reason is twofold.
- See item number 1) in my list above
- The API endpoint is misunderstood, it will only trigger the email change process, it does not actually change any emails until users confirm.
So, if people really want to change emails via API a new endpoint needs to be added to Discourse. But keep in mind, even admins are required to validate emails in the current system, this would be a departure from it. (and probably a legit use case in API use)