Commit Graph

35 Commits

Author SHA1 Message Date
Blake Erickson 451ee71930
FEATURE: Add API scope for listing topics in a category (#20471)
Adding an api scope for `/c/{slug}/{id}.json`. Without this you had to
append `/l/latest` to the url in order for it to work with existing
scopes.
2023-02-27 16:21:39 -07:00
Blake Erickson 5dbdcb3f23
FEATURE: Adding some more api scopes (#20420)
Adds api scopes for

- deleting a topic
- deleting a post
- listing tags
2023-02-23 08:33:29 -07:00
Blake Erickson 51a7cd899e
FEATURE: Add API scopes for group endpoints (#20401)
Added two new api scopes for managing and administering groups.

See https://meta.discourse.org/t/249710
2023-02-22 09:06:49 -07:00
Blake Erickson 4ecfac39a6
FEATURE: Add separate api scope for topic status (#19978)
This will allow us more granular control over changing a topic status.
For example you can now force the scope to only allow closing topics in
a specific category. This means that the same scope can't be used to
re-open topics, or close topics in a different category.
2023-01-27 08:05:29 -07:00
Blake Erickson a6291cd854
FEATURE: Add api scope for suspending users (#19965)
See: https://meta.discourse.org/t/request-separate-api-granular-api-scope-for-suspend-user/249928/5
2023-01-23 16:20:49 -07:00
Blake Erickson 774feb6614
FEATURE: Add api scope for create invite endpoint (#19964)
Adds an api scope for the POST /invite endpoint.
2023-01-23 16:20:22 -07:00
Blake Erickson 09f5235538
FEATURE: Add api scope for search endpoint (#19955)
Adds two new api scopes for the /search endpoints:

- `/search.json?q=term`
- `/search/query.json?term=term`

see: https://meta.discourse.org/t/search-api-key-permissions/227244
2023-01-23 14:06:57 -07:00
Selase Krakani 73ec80893d
FEATURE: Extend topic update API scope to allow status updates (#19654)
Allow an API key created with topic:update API scope to make updates to
topic status. This change also introduces an optional category_id scope
param.
2023-01-13 01:21:04 +00:00
David Taylor 5a003715d3
DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
Andrei Prigorshnev 6357a3ce33
FEATURE: User Status API (#19149)
This adds API scope for the user status. This also adds a get method to the user status controller. We didn't need a dedicated method that returns status before because the server returns status with user objects, but I think we need to provide this method for API clients.
2022-11-24 19:16:28 +04:00
Roman Rizzi e5691362df
DEV: add smtp_should_reject to the receive_emails api key scope (#17110) 2022-06-16 13:46:56 -03:00
Angus McLeod 9fc3d46003
Update wordpress scopes and add ``session/scopes`` endpoint (#15366)
* Update wordpress scopes && add ``session/scopes`` endpointt

* Fix failing spec

* Add users#show scope to discourse_connect

* Update app/controllers/session_controller.rb

Co-authored-by: Roman Rizzi <rizziromanalejandro@gmail.com>

Co-authored-by: Roman Rizzi <rizziromanalejandro@gmail.com>
2022-05-02 12:15:32 -03:00
OsamaSayegh 2f7a307237 FIX: Prevent duplicates in API scope allowed URLs
It's possible in Rails to map a single route to multiple controller
actions with different constraints. We do this in at least 1 place in
our application for the root route (/) to make it possible to change the
page that root route displays.

This means that if you get the list of routes of your application,
you'll get the same route for each time the route is defined. And if
there's an API scope for 2 (or more) controller actions that map to the
same route, the route will be listed twice in the Allowed URLs list of
the scope.

To prevent this, this PR adds the allowed URLs in a set so that
duplicate routes are automatically removed.
2022-04-07 02:09:11 +03:00
OsamaSayegh 5eaf4b8553 FIX: Include routes in an API scope's allowed URLs even if they have no format constraints
The Allowed URLs list of an API scope only includes routes that
constraint the format for the route to JSON. However, some routes define
no format constraints, but that doesn't mean they can't be used by an
API key.

This commit amends the logic for the Allowed URLs list so that it
includes routes that have no format constraints or the format
constraints include JSON.
2022-04-07 02:09:11 +03:00
Osama Sayegh 8d96761a4f
FIX: Include engine mount path for API scopes added by plugins (#16154)
In the API keys page where admins can create API keys with restricted scopes, each scope shows a list of URLs that it allows. But currently, this list of allowed URLs shows incomplete URLs for scopes that are added by plugins. For example, the allowed URL for the "run queries" scope of the data-explorer plugin is shown as `/queries/:id/run` when the correct URL for this scope is `/admin/plugins/explorer/queries/:id/run`. The first 3 segments of the path are the mount path of the plugin's engine and it's missing because the routes set of the engine doesn't include the mount path. To fix this, this commit gets the mount path and prepends it to the URL so the complete URL is shown to the user.

It's not possible to write tests for this change because plugins are not loaded in the test environment by default when core's tests suite is running.
2022-03-10 22:01:22 +03:00
Blake Erickson d760fd4074
DEV: Add API scope for categories endpoint (#16105)
This change adds support for the categories endpoint to have an api
scope. Only adds GET scope for listing categories and for fetching a
single category.

See: https://meta.discourse.org/t/218080/4
2022-03-04 14:29:47 -07:00
Blake Erickson 07e80b52ef
DEV: Add api scoping for updating topics. (#16101)
This change adds a new api scope for updating topics.

See: https://meta.discourse.org/t/219805
2022-03-04 10:44:56 -07:00
Osama Sayegh 688be607c9
FIX: Allowed URLs for API scopes added by plugins (#15662) 2022-01-20 22:29:03 +03:00
Martin Brennan 4519f3f137
FIX: Add more actions to the uploads API key scope (#15306)
The uploads API key create scope did not cover the
external upload API endpoints, or the direct S3
multipart endpoints, and this commit adds them.

cf. https://meta.discourse.org/t/upload-create-api-key-insufficient/211896
2021-12-15 14:08:11 +10:00
Alan Guo Xiang Tan 4e67297a7c FIX: Missing allowed urls when displaying granualar API key scopes.
Follow-up to 3791fbd919
2021-12-07 10:17:17 +08:00
Alan Guo Xiang Tan 44588255fc FEATURE: Introduce API scopes for badges. 2021-12-07 10:17:17 +08:00
RogerBW fd66df5997
FEATURE: adds uploads scope for API keys (#14941)
* FEATURE: adds uploads scope for API keys

* Add basic test, change "image" to "file"
2021-11-22 10:49:08 -07:00
Bianca Nenciu 3791fbd919
FEATURE: Add read-only scope to API keys (#14856)
This commit adds a global read-only scope that can be used to create
new API keys.
2021-11-10 17:48:00 +02:00
David Taylor 444e21b12d
FEATURE: Add 'users.list' API scope (#13742) 2021-07-16 11:10:04 +08:00
Vinoth Kannan 33eae4cbd8
FEATURE: add period filter in top topics route for tags. (#13415)
And also move all the "top topics by period" routes to query string param.

/top/monthly => /top?period=monthly
/c/:slug/:id/l/top/monthly => /c/:slug/:id/l/top?period=monthly
/tag/:slug/l/top/daily => /tag/:slug/l/top?period=daily (new)
2021-07-06 15:25:11 +05:30
Roman Rizzi 4afd8f9bdf
FEATURE: An API key scope for editing posts. (#13441) 2021-06-18 12:53:10 -03:00
Roman Rizzi e485e95792
FIX: Adding a custom scope should not modify the original ones. (#12178)
Default scopes are stored inside a class variable, which shouldn't be modified when a custom scope is added. If this happens, we're no longer to remove the scope when the plugin is disabled.
2021-02-22 20:10:53 -03:00
Roman Rizzi 07cf0f9460
FIX: Allow plugins to correctly extend API key scopes. (#12113)
Adding a scope from a plugin was broken. This commit fixes it and adds a test.

It also documents the instance method and renames the serialized "id" attribute to "scope_id" to avoid a conflict when the scope also has a parameter with the same name.
2021-02-17 14:42:44 -03:00
David Taylor f56c4b78da
FEATURE: Add users:log_out API key scope (#11359) 2020-11-26 10:39:38 +00:00
David Taylor 0c685a46de
FEATURE: Add user update, anonymize and delete API scopes (#11335) 2020-11-24 12:54:24 +00:00
Roman Rizzi 689623ffc0
FEATURE: Add an API key scopes for handling incoming email. (#11245)
Admins need to create a global API key if they want to use the mail-receiver. Let's add a scope for that.
2020-11-16 14:14:12 -03:00
David Taylor 1cec333f48 REFACTOR: Introduce RouteMatcher class
This consolidates logic used to match routes in ApiKey, UserApiKey and DefaultCurrentUserProvider. This reduces duplicated logic, and will allow UserApiKeysScope to easily re-use the parameter matching logic from ApiKeyScope
2020-10-19 10:40:55 +01:00
Roman Rizzi dd13304b81
FEATURE: More API scopes (#10493) 2020-08-24 12:15:08 -03:00
Roman Rizzi 390615fbcd
UX: Help users understand the meaning of each scope. (#10468) 2020-08-18 15:12:04 -03:00
Roman Rizzi f13ec11c64
FEATURE: Add scopes to API keys (#9844)
* Added scopes UI

* Create scopes when creating a new API key

* Show scopes on the API key show route

* Apply scopes on API requests

* Extend scopes from plugins

* Add missing scopes. A mapping can be associated with multiple controller actions

* Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes

* Add not null validations and index for api_key_id

* Annotate model

* DEV: Move default mappings to ApiKeyScope

* Remove unused attribute and improve UI for existing keys

* Support multiple parameters separated by a comma
2020-07-16 15:51:24 -03:00