DEV: Require at least one scope for API key granular mode (#31253)

Currently, if creating an API key in "granular" mode, and not selecting any scopes, a globally scoped API key is created. This can be surprising and is not ideal. Having a key with no scopes isn't useful in the first place, so this PR adds client- and server side validations to check that at least one scope is selected if using "granular" mode.
2025-05-24 03:36:18 +08:00 · 2025-02-10 13:22:08 +08:00
parent 7be88bbe8a
commit 3d11e3ca10
7 changed files with 55 additions and 2 deletions
--- a/app/controllers/admin/api_controller.rb
+++ b/app/controllers/admin/api_controller.rb
@ -75,6 +75,7 @@ class Admin::ApiController < Admin::AdminController
    ApiKey.transaction do
      api_key.created_by = current_user
      api_key.api_key_scopes = build_scopes
+      api_key.scope_mode = params.dig(:key, :scope_mode)
      if username = params.require(:key).permit(:username)[:username].presence
        api_key.user = User.find_by_username(username)
        raise Discourse::NotFound unless api_key.user