mattdm
2021 年 1 月 11 日午後 8:57
1
I would prefer to not give a global API key to the wordpress plugin. I don’t want a compromise in the wordpress site to result in user accounts deleted (or edited, or logged out). However, limiting the scopes by guesswork seems to give weird results (like it can’t load subcategories).
What scopes does this actually need to work?
「いいね!」 4
Falco
2021 年 1 月 11 日午後 10:24
2
With the Wordpress pre-dating the Admin API scopes by several years I doubt it can work with it.
It’s an interesting feature request.
mattdm
2021 年 1 月 11 日午後 10:37
3
I would really appreciate it. The global API key can do a lot of things, and we’re using our Discourse instance for more than just the blog comments, so it’d be nice to keep it scoped to just what it needs.
mattdm
2021 年 1 月 11 日午後 11:29
4
Is such a feature request better in this category, or in features?
angus
2021 年 1 月 12 日午前 7:36
5
I’ve been thinking the same thing! (I currently maintain the plugin). This is the right category to raise it.
I’ll discuss it with @simon and get back to you.
「いいね!」 3
mattdm
2021 年 12 月 11 日午後 5:47
6
@angus これはどこかに進みましたか?管理アクセス権を持つユーザーの管理がそれほど厳密ではないWordPressサイトで使用したいと考えており、Discourseサイトでの完全な管理者アクセスへのエスカレーションを望んでいません。
angus
2021 年 12 月 14 日午前 5:55
7
マットさん、この件を再度取り上げていただきありがとうございます。今週末までには、詳細な返信をいたします。
「いいね!」 1
angus
2021 年 12 月 20 日午前 2:15
8
@mattdm これに関するアップデートです。現在使用しているWP Discourseプラグインの機能セットに固有のスコープを持つAPIキーを生成できるようにする変更を準備しています。
これにはDiscourseコアの変更が必要となるため、承認待ちとなります。今週、PRを作成しながら最新情報をお伝えします。
「いいね!」 2
angus
2021 年 12 月 20 日午前 9:50
9
@mattdm 更新:これを解決するための2つのPRがドラフト中です。前述のように、アプローチは最初に承認される必要があります。discourse/discourse PRに関するより詳しい説明はこちら。
main ← angusmcleod:fix_wordpress_scopes
opened 09:46AM - 20 Dec 21 UTC
I'm looking to add granular API key usage for the WP Discourse plugin. This invo… lves:
- Updating the "wordpress" default mappings to reflect the actions being used by the plugin, grouped by the feature-set they relate to (note that the existing "wordpress" action in the "topic" resource only relates to comment retrieval in the plugin, and is somewhat confusing in its current state).
- Adding a ``session/scopes`` endpoint, which returns the scopes associated with the api key in the request.
This is the companion PR on the plugin, which will provide further context to this: https://github.com/discourse/wp-discourse/pull/431. See in particular [``validate_scopes``](https://github.com/discourse/wp-discourse/pull/431/files#diff-5fd9ce264afeb5f617119db36e34a2e5a33f605527ac6fa9ee761b8123f1a17eR185).
If this approach is acceptable, I'll do some more testing before moving this out of draft. Below are some Q/A explaining my thinking behind this.
### Why does the wordpress plugin need granular scopes?
Currently the plugin requires the use of a global key, but only uses a subset of the actions, creating more risk than necessary. [See for example](https://meta.discourse.org/t/what-scopes-exactly-does-the-wordpress-api-key-need/175812).
### Why group the scopes by feature set?
This is how people use the plugin. Some use only SSO, some only publishing, some without comments etc. If a user is not using SSO they should be able to use a key that doesn't include the ``admin/user`` actions SSO requires.
Currently the "publishing" feature set cannot be totally disabled in the plugin (hence the "(required)" in the action description), however the ability to disable it (and just use SSO) may be added.
### Why add a ``session/scopes`` endpoint?
The WP Discourse plugin currently sends a request to ``/users/:username`` to test its connection to Discourse. This may be successful even if the allowed scopes are insufficient for how the plugin is configured.
A scopes endpoint tells the API consumer both whether the connection is successful and what scopes their key has. There's similar implementations in other APIs, e.g [Sendgrid](https://docs.sendgrid.com/api-reference/api-key-permissions/retrieve-a-list-of-scopes-for-which-this-user-has-access).
### Why add the ``scopes`` endpoint to the session controller?
The endpoint could go in a few different places. I figured it belonged there as essentially you're asking about the scopes in the session created when the api-authenticated request is made.
### Why not use a ``tokeninfo`` endpoint?
``tokeninfo`` endpoints are part of the OAuth 2.0 spec, which is not what we're dealing with here. Using it may be confusing.
main ← angusmcleod:granular_api_key_support
opened 09:16AM - 20 Dec 21 UTC
- Wordpress 6.0 support
- Granular API Key support (backwards compatible)
- Di… scourseConnect copy fix
- Add wpdc_publish_body filter
「いいね!」 2
mattdm
2022 年 4 月 8 日午後 6:35
10
これは停滞しているようです。Fedora Magazine でこのプラグインを使用したいのですが、Fedora Community Blog よりも、設計上かなりオープンなアクセス ポリシーを持っています。現在、それを使用しています。何かニュースはありますか?
angus
2022 年 4 月 9 日午前 10:03
11
迅速なご対応ありがとうございます、@mattdm さん。Discourse PR で動きがあったので、来週改めてこの件に取り組む予定です。来週、進捗をご報告します。
「いいね!」 1
angus
2022 年 4 月 18 日午後 1:07
12
Discourse の部分については、レビューのために提出済み(ドラフトから移動済み)であることをお知らせします。
main ← angusmcleod:fix_wordpress_scopes
opened 09:46AM - 20 Dec 21 UTC
I'm looking to add granular API key usage for the WP Discourse plugin. This invo… lves:
- Updating the "wordpress" default mappings to reflect the actions being used by the plugin, grouped by the feature-set they relate to (note that the existing "wordpress" action in the "topic" resource only relates to comment retrieval in the plugin, and is somewhat confusing in its current state).
- Adding a ``session/scopes`` endpoint, which returns the scopes associated with the api key in the request.
This is the companion PR on the plugin, which will provide further context to this: https://github.com/discourse/wp-discourse/pull/431. See in particular [``validate_scopes``](https://github.com/discourse/wp-discourse/pull/431/files#diff-5fd9ce264afeb5f617119db36e34a2e5a33f605527ac6fa9ee761b8123f1a17eR185).
If this approach is acceptable, I'll do some more testing before moving this out of draft. Below are some Q/A explaining my thinking behind this.
### Why does the wordpress plugin need granular scopes?
Currently the plugin requires the use of a global key, but only uses a subset of the actions, creating more risk than necessary. [See for example](https://meta.discourse.org/t/what-scopes-exactly-does-the-wordpress-api-key-need/175812).
### Why group the scopes by feature set?
This is how people use the plugin. Some use only SSO, some only publishing, some without comments etc. If a user is not using SSO they should be able to use a key that doesn't include the ``admin/user`` actions SSO requires.
Currently the "publishing" feature set cannot be totally disabled in the plugin (hence the "(required)" in the action description), however the ability to disable it (and just use SSO) may be added.
### Why add a ``session/scopes`` endpoint?
The WP Discourse plugin currently sends a request to ``/users/:username`` to test its connection to Discourse. This may be successful even if the allowed scopes are insufficient for how the plugin is configured.
A scopes endpoint tells the API consumer both whether the connection is successful and what scopes their key has. There's similar implementations in other APIs, e.g [Sendgrid](https://docs.sendgrid.com/api-reference/api-key-permissions/retrieve-a-list-of-scopes-for-which-this-user-has-access).
### Why add the ``scopes`` endpoint to the session controller?
The endpoint could go in a few different places. I figured it belonged there as essentially you're asking about the scopes in the session created when the api-authenticated request is made.
### Why not use a ``tokeninfo`` endpoint?
``tokeninfo`` endpoints are part of the OAuth 2.0 spec, which is not what we're dealing with here. Using it may be confusing.
それがマージされたら、WP Discourse の部分をマージしてリリースできます。
「いいね!」 2
angus
2022 年 5 月 24 日午後 4:34
13
@mattdm WP Discourse 2.4.3 で、詳細なスコープがリリースされました
編集 ガイドはこちらです!
「いいね!」 6
system
2022 年 6 月 23 日午後 4:35
14
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
。最新の Discourse とプラグインの最新バージョンを使用している場合、それらを使用できます。今週後半に、それらの使用方法に関する完全なガイドを公開します。