TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-01 07:16:52 +03:00
Code Issues Projects Releases Wiki Activity

Updated comments around API access

Browse Source 
no issue

- While auditing the access rights to endpoints have come across the "stable" / "experimental" notes that do not make any sense in the current approach towards the API. Every endpoint that's documented and exposed just "is" there no stable/unstable/canary/whatever distinction in the Admin API since Ghost v5
- Staff tokens were also acked as a separate way to access the API, so we have them in mind when modifying the access-list
This commit is contained in:
Naz 2022-08-30 11:23:47 +08:00
parent 619af026d6
commit 8af8905fa9
No known key found for this signature in database
1 changed files with 1 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ghost/core/core/server/web/api/endpoints/admin/middleware.js
View File

@ -14,15 +14,13 @@ const notImplemented = function (req, res, next) {
return next();
}
// @NOTE: integrations have limited access for now
// @NOTE: integrations & staff tokens have limited access to the API
const allowlisted = {
// @NOTE: stable
site: ['GET'],
posts: ['GET', 'PUT', 'DELETE', 'POST'],
pages: ['GET', 'PUT', 'DELETE', 'POST'],
images: ['POST'],
webhooks: ['POST', 'PUT', 'DELETE'],
// @NOTE: experimental
actions: ['GET'],
tags: ['GET', 'PUT', 'DELETE', 'POST'],
labels: ['GET', 'PUT', 'DELETE', 'POST'],