What scopes exactly does the Wordpress API key need?

I would prefer to not give a global API key to the wordpress plugin. I don’t want a compromise in the wordpress site to result in user accounts deleted (or edited, or logged out). However, limiting the scopes by guesswork seems to give weird results (like it can’t load subcategories).

What scopes does this actually need to work?

4 Likes

With the Wordpress pre-dating the Admin API scopes by several years I doubt it can work with it.

It’s an interesting feature request.

I would really appreciate it. The global API key can do a lot of things, and we’re using our Discourse instance for more than just the blog comments, so it’d be nice to keep it scoped to just what it needs.

Is such a feature request better in this category, or in features?

I’ve been thinking the same thing! (I currently maintain the plugin). This is the right category to raise it.

I’ll discuss it with @simon and get back to you.

3 Likes

@angus Did this go anywhere? We’d like to use this on one of our wordpress sites where we have a less-than-tightly-controlled set of users with admin access, and I don’t want that to be an escalation into full admin access on our Discourse site.

Hey Matt, thanks for the bump on this. I’ll give you a full response by the end of the week.

1 Like

@mattdm An update on this. I’m preparing changes that will allow you to generate an API key with scopes specific to the feature-set of the WP Discourse plugin you’re using.

This will require changes to core Discourse, so it is subject to approval. Will keep you up to date this week as I make a PR.

2 Likes

@mattdm Update: there are two PRs in draft that seek to address this. As mentioned the approach will needs to be approved first. More explanatory notes on the discourse/discourse PR.

2 Likes

This looks like it has stalled out. I’d like to use this plugin for Fedora Magazine, which has a pretty open access policy by design — even more than the Fedora Community Blog which we’re using it with currently. Any news, by any chance?

Thanks for the prompt @mattdm, and good timing as I have it in my calendar to pick this up again next week now there’s been some movement on the Discourse PR. Will give you an update on this next week.

1 Like

Just a note that the Discourse piece of this has been submitted for review (i.e. moved out of draft).

Once that’s merged, the WP Discourse piece can be merged and released.

2 Likes

@mattdm Granular scopes are now released in WP Discourse 2.4.3 :tada:. If you’re on the latest Discourse and the latest version of the plugin you’ll be able to use them. I’ll be publishing a full guide on how to use them later in the week.

edit Here’s the guide!

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.