Developer

After building some tool that uses the API, you still face the problem that a user needs to provide his key to use the Application. For administrators and developers this is no problem, they know the ins and outs of the system (or they should know them). To allow regular users to use an API-App that's something different!

If I build an App it is to read or write data to the site. I have no problem with the fact that users can read data using my App… That would be silly because otherwise I should not have made the App.

It is however different with writing to the site, deleting or modifying. I do NOT wish that a user can modify or delete pages by accident. So I understand the caution here!

But I would allow my users to CREATE pages as much as they want. They can always be removed afterwards.

SO if I would make an API-App for users that allows them to create pages… I have no fear. There is no damage that can be done (maybe overload on the server). But in this case all my users need an API-key. Which is impossible. So far there is no problem because my API-App can use my API-key. BUT then I will be the creator of the pages WHICH is not true.

SO I suggest that the page.save_one has an extra value or some way to save the true creator (%%current.memebr%%) of the page (not the API-key-owner!)

I know that this may sound confusing so please feel free to ask questions.

Other possible solution to this/my problem:

I use PHP to run a API-request. To do this I create external links to my server that runs the API-Applications. Maybe wikidot could create a new kind of link syntax that would allow something like this.

What we need is a trigger for the API to start and a ticket for the user that started the API-App.

Wikidot has build a module listuser… that generates the number and name of the user.
So an API link has this build inside to link the ticket to the user.

Together with the URL you wish the link should go to.

So imagen [[[:API:link-url | linktext]]]

• tripple [[[ because it is an internal link
• :API: will always go to a wikidot-systempage that will add some flag-key (ticket) to the requested link-url.
• the API-App will recieve this information and can act using the flag-key (ticket)
• if the flag-key (ticket) returnes to the API-server of wikidot the userkey can be switched to the correct user (=not the API-developer).

In this scenario the developer never owned the key of the user… so no abuse is possible.

I don't see what's the original problem anyway. Whenever you try to solve problems that are not well defined, more specific problems arise, that are even more problematic than the original (the undefined) one.

If you could say what's your (original) problem, I guess we could all help you.

OK, I see where this is going. The problem here is having web-based applications integrated with Wikidot experience. Similarly to how you can log-in to sites using your Facebok account, or use various Twitter applications (like the Wikidot's one: Tweet My Wiki).

The original way in which API works is there's an (non-web) application that uses some kind of authentication (API key or user/password pair) to do stuff in user's name. This is what Wikidot supports right now.

The "Web 2.0" way is there's web (or desktop) application that asks users to "authorize" the application by pointing them to a special page, on which they can log-in (unless already logged-in) and authorize (or deny) the application. If you want to see how it works live check this blog post (ideally repeating the steps yourself).

As recently we've been playing with Twitter as the client-side of the whole process and we're quite familiar in how it works. Twitter uses OAuth protocol for authentication and probably we'll once implement it too, as there's no point in inventing a new protocol when this works.

Till that time, we'll stick to the old API key method. Answering some of the questions and suggestions above, I would like to say that:

• users won't need to apply for the API keys
• each user will have two API keys: one read-only, one read-write
• we'll assign an URL at which users can see their keys (so that apps can ask them to go there)
• we're not going to allow anyone post as someone else or sometime else (changing page authors or dates of events after they happen)
• we're not going to let users create or modify their accounts or create sites via the API. API will be the way to modify the site contents once the site exists. Site and user creation must be done in-browser. Otherwise we get spammed heavily and we need to shut down the service.

Sorry for being offensive before, I wasn't going to. I just wanted to point that usually it's better to share the original problem instead of asking how to solve all problems that appear after you try to solve the original problem yourself.

Gabrys:

Till that time, we'll stick to the old API key method. Answering some of the questions and suggestions above, I would like to say that:

• users won't need to apply for the API keys
• each user will have two API keys: one read-only, one read-write
• we'll assign an URL at which users can see their keys (so that apps can ask them to go there)
• we're not going to allow anyone post as someone else or sometime else (changing page authors or dates of events after they happen)
• we're not going to let users create or modify their accounts or create sites via the API. API will be the way to modify the site contents once the site exists. Site and user creation must be done in-browser. Otherwise we get spammed heavily and we need to shut down the service.

All of this sounds great - thanks for the answers!