I would prefer to not give a global API key to the wordpress plugin. I don’t want a compromise in the wordpress site to result in user accounts deleted (or edited, or logged out). However, limiting the scopes by guesswork seems to give weird results (like it can’t load subcategories).
I would really appreciate it. The global API key can do a lot of things, and we’re using our Discourse instance for more than just the blog comments, so it’d be nice to keep it scoped to just what it needs.
@angus Did this go anywhere? We’d like to use this on one of our wordpress sites where we have a less-than-tightly-controlled set of users with admin access, and I don’t want that to be an escalation into full admin access on our Discourse site.
@mattdm An update on this. I’m preparing changes that will allow you to generate an API key with scopes specific to the feature-set of the WP Discourse plugin you’re using.
@mattdm Update: there are two PRs in draft that seek to address this. As mentioned the approach will needs to be approved first. More explanatory notes on the discourse/discourse PR.
This looks like it has stalled out. I’d like to use this plugin for Fedora Magazine, which has a pretty open access policy by design — even more than the Fedora Community Blog which we’re using it with currently. Any news, by any chance?
Thanks for the prompt @mattdm, and good timing as I have it in my calendar to pick this up again next week now there’s been some movement on the Discourse PR. Will give you an update on this next week.
@mattdm Granular scopes are now released in WP Discourse 2.4.3. If you’re on the latest Discourse and the latest version of the plugin you’ll be able to use them. I’ll be publishing a full guide on how to use them later in the week.
. If you’re on the latest Discourse and the latest version of the plugin you’ll be able to use them. I’ll be publishing a full guide on how to use them later in the week.