Permissions and Scopes
Disqus implements permissions slightly different than what you may expect. For starters, every request has a base set of explicit permissions depending on the authenticated user. Generally those permissions are defined as part of the
scope as part of the authentication process. On top of this, every object also has it's own scoping for those same permissions.
- Read access on data.
- Write access on data.
- Forum moderation capabilities.
admin scope is less clearly defined as read and write.
For the sake of our example, we're going to say those permissions are only read and write. Now let's say you're looking up a user's information on Disqus. We're going to check two things:
- Do you have read permission (based on your explicit permissions)?
- Does the user you're reading allow you to have read permission on it?
Note: These permissions may also affect what fields are returned within an object.
Now this example doesn't really tell the same story as most, as even anonymous users have read permission on all users (on both checks). The more interesting scoping happens when we're trying to perform writes on various objects.
To illustrate this, let's say we're trying to create a post, via the posts/create endpoint. In this request, we're going to run through several permission checks:
- Does the user have write scope?
- Does the user have read permission on the forum they're creating a post for?
- Does the user have write permission on the thread they're creating a post for?
While the scopes we currently provide are limited, we do plan to expand on this in the future.