Hi,
currently there are several places in Moodle where '*' is already used: the WebServices layer, login/token.php, the upload files endpoint, etc.
Obviously, making things more limited is usually more secure, but IMO using '*' by itself doesn't have to be a huge risk. IMO it's far more important that you protect any private information requiring a user token or similar like Moodle does. Also, AFAIK there are a lot of public APIs using '*'.
Depending on what you're trying to achieve, maybe you prefer to create a new WebService to be called from your mobile API instead of a standalone script. That way the WebService will receive the user token and can decide which information to return based on the user.
Cheers,
Dani
currently there are several places in Moodle where '*' is already used: the WebServices layer, login/token.php, the upload files endpoint, etc.
Obviously, making things more limited is usually more secure, but IMO using '*' by itself doesn't have to be a huge risk. IMO it's far more important that you protect any private information requiring a user token or similar like Moodle does. Also, AFAIK there are a lot of public APIs using '*'.
Depending on what you're trying to achieve, maybe you prefer to create a new WebService to be called from your mobile API instead of a standalone script. That way the WebService will receive the user token and can decide which information to return based on the user.
Cheers,
Dani