main ← badges-list-api-key-scope
merged 04:32PM - 22 Jun 26 UTC
Previously, listing badges over the API required either a global-scope key or di…sabling "Login required" and issuing an anonymous request, because no granular scope was mapped to the badge-listing endpoints — a problem for closed-site integrations that want to avoid global keys.
This change adds a `badges -> list` scope mapped to both the public `badges#index` and the admin `admin/badges#index`, so a non-admin key can list enabled/listable badges (even on a login-required site, via the API JSON login bypass) and an admin-owned key can additionally fetch the full payload from `/admin/badges.json`. The admin route stays gated by `ensure_admin` / `AdminConstraint`, so the scope grants no admin access on its own.
Meta: https://meta.discourse.org/t/api-granular-scope-to-list-all-badges/405734
