Require authentication to load trash projects using the API

ScolderCreations

When a project is in the trash folder, external services can still access it using the API. I think we should make it so that the only person who can load a trashed project through the API, is someone who is currently logged in as the user who made the project. I'm not sure how easy this would be to implement, but it would stop people from viewing projects that were trashed using external sources.

There’s no point in a trashing system if there’s no difference between trash projects and unshared ones.

Last edited by ScolderCreations (Nov. 16, 2021 14:50:55)

ScolderCreations

ScolderCreations

Bump

ScolderCreations

Bump

SonicFanX123_321

support. it'd be less intrusive.

this is my page

I'm not active on scratch anymore, I moved on.

ScolderCreations

Bump

Ciyob86

Support!, this should also be done with unshared projects.

Last edited by Ciyob86 (Aug. 1, 2021 17:24:28)

ScolderCreations

Ciyob86 wrote:
Support!, this should also be done with unshared projects

some people may want to share unshared projects with external services.

LankyBox01

Wait, that exists?

Do you have trouble with scratch slang? Check this awesome site out!

I'm a red panda btw

ScolderCreations

LankyBox01 wrote:
Wait, that exists?

can you be more specific?

LankyBox01

ScolderCreations wrote:
LankyBox01 wrote:
Wait, that exists?
can you be more specific?

You can actually access trashed projects using the API? Let me test it-

Do you have trouble with scratch slang? Check this awesome site out!

I'm a red panda btw

ScolderCreations

Yes, I know because Turbowarp can load projects that are currently in the trash.

LankyBox01

ScolderCreations wrote:
Yes, I know because Turbowarp can load projects that are currently in the trash.

I tried it, and it doesn't work. Let me inspect turbowarp's source code.

Do you have trouble with scratch slang? Check this awesome site out!

I'm a red panda btw

ScolderCreations

While people cannot access trash projects through the main site, they can still load the project file through the API.

LankyBox01

ScolderCreations wrote:
While people cannot access trash projects through the main site, they can still load the project file through the API.

I know that.

fetch('https://api.scratch.mit.edu/projects/(removed)/')
.then(response => response.json())
.then(data => console.log(data));

A deleted project of mine cannot be fetched

Last edited by LankyBox01 (July 31, 2021 19:36:33)

Do you have trouble with scratch slang? Check this awesome site out!

I'm a red panda btw

LankyBox01

Ah, i see the API issue. You can access literally any project, even if it's in the trash folder OR unshared.

https://projects.scratch.mit.edu/{PROJECT_ID}

All that needs to be changed is the projects.scratch.mit.edu api

Do you have trouble with scratch slang? Check this awesome site out!

I'm a red panda btw

ScolderCreations

Bump

ScolderCreations

ScolderCreations wrote:
Bump

ScolderCreations

ScolderCreations wrote:
ScolderCreations wrote:
Bump

ScolderCreations

ScolderCreations wrote:
ScolderCreations wrote:
ScolderCreations wrote:
Bump

Discuss Scratch