Quest re rest scopes and global theme rest calls

In 12.1 rest scopes have been introduced which limit access to rest calls

In the UX these are normally added to a widget in the main config panel as below

We have some js to replace the std tag editor on a site so we no longer call

b.telligent.evolution.site.getBaseUrl() + "api.ashx/v2/aggregatetags.json",

but use a custom endpoint

b.telligent.evolution.site.getBaseUrl() + "api.ashx/v2/subtopic/listAsTags.json?

When the legacy option "Enable all REST scopes for the user interface" is disabled this if failing with the pop message as below

I realise we can add custom scopes to the custom rest endpoint as per the new developer documentation

My question is how/where do we flag these endpoints as safe as per the core one used for tag lookups when the call is made from events in theme js?

Top Replies

Ben Tiedt over 1 year ago in reply to Ben Tiedt +1 verified

I take that back slightly. Adding the scopes to the themes of the community will allow those scopes from any page within the theme. This may be the best approach for overriding platform functionality …

Parents

0 Ben Tiedt over 1 year ago

There are not safe endpoints. You would need to grant the noscope.default.readonly scope to all widgets that make use of your custom endpoint until it has a unique scope. Any endpoint that doesn't define its own scope is put into the noscope category.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Karl Barber over 1 year ago in reply to Ben Tiedt

Looking at tags as a global example, the widgets do not specify the scope for the api.ashx/v2/aggregatetags.json endpoint, so as we are replacing this to avoid changing every widget this doesn't seem like workable option?

Can we use the same scope for the replacement endpoint ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Ben Tiedt over 1 year ago in reply to Karl Barber

Endpoints used by the platform javascript (such as tag editing UI implemented as jQuery plugins in the platform javascript) are considered globally accessible to the UI and are not registered individually by widgets. There is not, currently, however a way to add additional globally accessible REST scopes.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
+1 Ben Tiedt over 1 year ago in reply to Ben Tiedt

I take that back slightly. Adding the scopes to the themes of the community will allow those scopes from any page within the theme. This may be the best approach for overriding platform functionality (which I assume is done within the theme)
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 Karl Barber over 1 year ago in reply to Ben Tiedt

Ah thanks Ben I had not seen anything about the theme scope in the documentation, which mention widgets but not the theme itself
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Karl Barber over 1 year ago in reply to Ben Tiedt

Ah thanks Ben I had not seen anything about the theme scope in the documentation, which mention widgets but not the theme itself
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data