XF 2.1 REST API

Georgsius

Member
Hello,
With api I want to make new posts and threads not from users, but from guests. How can I do that? If I make new guest key from admin panel, how can I select name for that guest?
Is it possible to allow guest posting from rest api and disallow guest posting from web interface?
 

donwon

Active member
API keys

All API access requires authentication using a key. Keys can only be created in the control panel by a super administrator. Because the ability to create an API key is very powerful, simply accessing the keys may require an additional password check. This is similar to GitHub's "sudo mode".

When accessing the API, you will always be acting as a particular user. This will be used to know who is creating content or what permissions to use, though there are some exceptions to this which we'll get into later. Therefore, there are three types of API keys:
  1. Guest keys. This will only be able to access data that a guest can access. To emphasize, a key must still be created, even for guest API access.
  2. User keys. These keys are tied to a particular user. All actions (such as creating a thread) will be attributed to this user and their permissions will be taken into account.
  3. Super user key. These are the most powerful keys, and can access the API as any user and bypass the user's permissions if needed. These keys are primarily designed for complex integrations. For example, you may integrate with a third-party CMS that creates a thread whenever you post a new article. This type of key would allow you to create a thread with a different user depending on the article author or in a forum that users normally can't post in.
Super user keys (or user keys attached to privileged users) are very powerful, so it is important that you protect any created API keys so that they can't be used in unexpected ways, such as by bulk deleting threads or even whole nodes.

To help limit the amount of damage that could be done by a compromised key, every key has a set of allowed scopes:


This screenshot only shows a few of the available scopes. Each content type or action exposed by the API will be covered by some sort of scope. For example, threads and posts are covered by distinct scopes to limit reading, writing (creating/updating/soft-deleting) and hard deleting. For security, you should only give a key the API scopes that you intend to use.

No API key can take a particular action unless it has the relevant scope. For example, if you have an integration that needs a super user key to post a thread, then you would want to give it thread:write (and likely thread:read as well), but you wouldn't want to give it node:delete or user:delete.

(For those of you keeping score, API scopes are what's using the entity relation values via closures change as discussed on Tuesday. The type:action convention is in various APIs, so it made sense for us to use it too but that isn't valid as a phrase name.)

To further aid security, whenever an API key is generated or modified, all super admins will be sent an email.

Now that we have an API key, we can start to access the API...
One of our advertisers was wanting a super user key so he could create a way to set up automatic scheduled posts for himself. After reading this I am not very comfortable with it. Thoughts?
 

Lukas W.

Formerly katsulynx
They don't need a super user key for posting, a normal user key for their account will be sufficient.
 
Top