What scope is needed for acessing {{localhost}}/posts.json?

Hugo_Tadashi · February 19, 2021, 4:50pm

Hi,

I generated an admin-issued API key with write, read and read lists scopes. However, when I try to consume the key (adding the key on the header Api-Key) to access the {{localhost}}/posts.json endpoint, I get the following error:

    "errors": [
        "You are not permitted to view the requested resource. The API username or key is invalid."
    ],
    "error_type": "invalid_access"
}

On the other hand, generating a global key give me access to the endpoint. What is the correct (minimum) scope for reading {{localhost}}/posts.json?

simon · February 19, 2021, 7:32pm

I haven’t tested this yet, but I think that what you are seeing is the expected behaviour. You can click on the anchor button that is displayed next to each of the API key scopes to see which paths the scope allows you to access. You’ll see that the read scope is only applied to routes beginning with /t. The read lists scope gives you access to the Discourse topic lists. There isn’t a scope that specifically allows you to access /posts.json, so it looks like you’ll have to use a global key for that.

I’m wondering if it would make sense to add /posts.json to the read scope.

Hugo_Tadashi · February 19, 2021, 9:19pm

Hi Simon! Thanks for the reply and the explanation. For my use case I’ll need reading the posts from /posts.json, but at the same time I would like to be as less intrusive as possible and only ask for read-only access. Is there any workaround?

simon · February 19, 2021, 9:49pm

If you are only querying for public posts, you might be able to make an unauthenticated API request to /posts.json. If your site is private, or the posts are in protected categories, I think the only way you can currently retrieve the posts is with a global API key.

riking · February 19, 2021, 10:18pm

#pr-welcome for either a new scope or adding this to read, I think.