From 8af8905fa9a8c3b4dcd8e68949d8373f26e71d4c Mon Sep 17 00:00:00 2001
From: Naz <hi@nazavo.com>
Date: Tue, 30 Aug 2022 11:23:47 +0800
Subject: [PATCH] Updated comments around API access

no issue

- While auditing the access rights to endpoints have come across the "stable" / "experimental" notes that do not make any sense in the current approach towards the API. Every endpoint that's documented and exposed just "is" there no stable/unstable/canary/whatever distinction in the Admin API since Ghost v5
- Staff tokens were also acked as a separate way to access the API, so we have them in mind when modifying the access-list
---
 ghost/core/core/server/web/api/endpoints/admin/middleware.js | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/ghost/core/core/server/web/api/endpoints/admin/middleware.js b/ghost/core/core/server/web/api/endpoints/admin/middleware.js
index e519535e49..f3e2d63ab8 100644
--- a/ghost/core/core/server/web/api/endpoints/admin/middleware.js
+++ b/ghost/core/core/server/web/api/endpoints/admin/middleware.js
@@ -14,15 +14,13 @@ const notImplemented = function (req, res, next) {
         return next();
     }
 
-    // @NOTE: integrations have limited access for now
+    // @NOTE: integrations & staff tokens have limited access to the API
     const allowlisted = {
-        // @NOTE: stable
         site: ['GET'],
         posts: ['GET', 'PUT', 'DELETE', 'POST'],
         pages: ['GET', 'PUT', 'DELETE', 'POST'],
         images: ['POST'],
         webhooks: ['POST', 'PUT', 'DELETE'],
-        // @NOTE: experimental
         actions: ['GET'],
         tags: ['GET', 'PUT', 'DELETE', 'POST'],
         labels: ['GET', 'PUT', 'DELETE', 'POST'],