API calls with master key returning private topics?

(Roberto_Pezzali) #1

I’m not sure if we have to consider this as a bug, but using Discourse api with the system master key when I retrieve the “latest_topics” also the private topics are returned with the api call. I publish some posts in the “meta” forum that is opened only to admins and they are showed in my homepage.

Any idea?

(Jeff Atwood) #2

Maybe try using an API key for a regular non-staff user instead?

(Roberto_Pezzali) #3

Should be a solution… but maybe is better to separate the api call: latest_public_topics and latest_topics.

Now I will separate the api key…

(Sam Saffron) #4

I am not sure about that, the permission system is rich, allowing for a single edge case in the API seems odd.

Why not then add an endpoint for latest topics that trust_level_1 users can see, and so on.

(Kane York) #5

Another solution would be (a) just request it as an anon (nothing wrong with that!) or (b) specify a different, unprivileged username - the master api key lets you use any username.