There's no security #3
Comments
|
Good report, thanks. Re: hidden sections, this is definitely on the roadmap. Right now you have to auth with a user token to access the GraphQL service. The thought is that you would be able to query any sections you have access to. Re: users, I haven't given this much thought yet. I'm open to ideas on how to lock this down. Right now you can make tokens that are read or read/write. I could extend that with some concept of "scopes" that conditionally allows user access too… |
|
Something like this,
(working on it over in the |
Merged
|
This was fixed up with #4. Scopes are now implemented on a per-token basis. You can exclude specific types by either query or mutation. |
Closed
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Some websites have sections or entries which are not designed to be public. There needs to be a way to whitelist (preferably) or blacklist which sections or entry types can be accessed via this API.
I haven't tested, but I think the Users section should definitely be heavily guarded too so it cannot be queried unless specifically required.
The text was updated successfully, but these errors were encountered: