Ability to have granular scope for data explorer?

jordan-violet · April 17, 2025, 3:31pm

Is there a way to scope an API key to be able to both read and write for data explorer queries without giving a globally scoped admin API key?

pfaffman · April 17, 2025, 4:03pm

Data explorer cannot write anything, ever.

You can create a query and allow members of a group who cannot otherwise have access to the plugin to run particular queries.

jordan-violet · April 17, 2025, 5:13pm

Sorry, maybe it was not written well. Can queries themselves not be created via API?

That is the function in question—read and write the actual queries themselves, not within a query.

pfaffman · April 17, 2025, 5:20pm

Oh. Sorry. I did miss that. So you want to create queries via the API, not just run them. That is different.

I suspect that the answer is no.

What problem do you have that writing queries via the API is going to solve? Do you need to create a lot of them or something?

jordan-violet · April 17, 2025, 5:23pm

You can create them via API, my question is if we can somehow limit the scope of an API key for that. Currently an API key scope can be limited to reading data explorer queries, but it doesn’t give an option to limit a scope to writing.

So today, if I want to give someone in my business the ability to write queries to data explorer, I have to give them a full global admin API key.

Here are the docs on creating queries via API:

pfaffman · April 17, 2025, 5:25pm

Ah. I see. You trust a particular human to write queries, but not anything else. I don’t think there’s a way to do that currently.

tobiaseigen · May 30, 2025, 1:35pm

Sounds to me like what you are asking for, and which seems a good idea alot of communities would benefit from, is a setting like data_explorer_allowed_groups which lets you provide full access to data explorer to more groups in addition to admins.

Presumably then if the group is allowed access, then the API key of that user would work to create queries as well as access them.

Currently it’s only possible to let people access existing queries, via their groups page.

I’ve moved this to Feature so the feature request can be considered. Not sure it will be picked up but this at least puts the idea out there.

pfaffman · May 30, 2025, 4:47pm

The reason not to do that is that it gives those people full (though read-only) access to everything in the database–passwords, IP addresses (which moderators have), all of the secrets in SiteSettings, and probably some other stuff. OTOH, it is read-only, so it’s not the SAME as being an admin. Oh, also, the secrets needed to log in as someone else if you have a login link sent.

Topic		Replies	Views
Use scoped API Keys Integrations rest-api , how-to	6	2462	September 26, 2020
Create and configure an API key Integrations rest-api , how-to	6	29317	May 10, 2024
Run Data Explorer queries with the Discourse API Integrations data-explorer , rest-api , how-to	14	12651	May 6, 2025
Data Explorer Queries accessible to public Feature data-explorer	11	3770	October 9, 2020
Data Explorer / Discourse API issues Data & reporting data-explorer , rest-api	3	109	May 5, 2025

Ability to have granular scope for data explorer?

Related topics