How to get taxonomies tags without authentication?

Hi all,

I want to get the tags I created as categories in taxonomies for my react application. But I don’t want any authentication rules when pulling it because I want non-logged in users to see categorised courses. When I make a request with meilisearch, I get cors error. When I make a request to object_tags in Studio, I get ‘Authentication credentials were not provided’ error. How can I solve these problems. It is enough for me if I solve any of them.

meilisearch api link:
https://meilisearch.example.com/multi-search/

object_tags api link:
api/content_tagging/v1/object_tags/course-id/

@braden or @dave any thoughts on this one?

Yep, neither Meilisearch nor the Object Tags API will let you do anything without authentication. However, you have many options for how to solve this problem.

Are you sure you’re making a correct request? Meilisearch uses access-control-allow-origin: * so you really shouldn’t be seeing CORS errors if you’re hitting Meilisearch directly.

One option would be using Meilisearch, though I didn’t think that the tags applied to courses were actually included in the search index? If they are, then you can use that. First, run tutor config printvalue MEILISEARCH_API_KEY to get the master API key, then open a python shell (in the CMS container), connect to Meilisearch using the official SDK which is already installed, and create a restricted tenant token. Make sure to specify the right filters so this token only has read access to the courses/tags, and nothing else (you don’t want unregistered users to be able to see the entire contents of all your courses and exams for example, which could be possible with a misconfiguration!). Once you have a suitably restricted tenant token, you can include that token in your React application and use it to query Meilisearch, using their JavaScript SDK or Instantsearch.js.

The second option is to create a new backend plugin that adds a new, anonymous-friendly REST API endpoint to the platform. It can be super simple, e.g. pass a course ID in the URL and return the list of tags, or however you want it to work. The point is just that you implement a new endpoint which explicitly allows anonymous users, and it in turn uses the python tagging API to retrieve the allowed information.

The third option is to open a PR to add this capability to the platform: modify the Learning Core Tagging APIs to allow anonymous users, and implement some system-wide setting or per-taxonomy setting that allows anonymous users to view certain tags (see current permissions logic here). This would require some discussions with Product first.