Apply suggestions from code review

qqmyers · pdurbin · web-flow · commit 1b80bc71c704 · 2025-06-03T12:30:04.000-04:00
Co-authored-by: Philip Durbin &lt;philip_durbin@harvard.edu&gt;
diff --git a/doc/release-notes/Filter-efficiency.md b/doc/release-notes/Filter-efficiency.md
@@ -17,7 +17,7 @@ New JvmSettings:
 - `dataverse.cors.headers.allow`: Allowed headers for CORS requests
 - `dataverse.cors.headers.expose`: Headers to expose in CORS responses
 - `dataverse.api.blocked.policy`: Policy for blocking API endpoints
-- `dataverse.api.blocked.endpoints`: List of API endpoints to be blocked
+- `dataverse.api.blocked.endpoints`: List of API endpoints to be blocked (comma-separated)
 - `dataverse.api.blocked.key`: Key for unblocking API endpoints
 
 Deprecated database settings:
@@ -35,6 +35,9 @@ If :AllowCors is not set or is true:
 bin/asadmin create-jvm-options -Ddataverse.cors.origin=*
 
 Optionally set origin to a list of hosts and/or set other CORS JvmSettings
+Your currently blocked API endpoints can be found at http://localhost:8080/api/admin/settings/:BlockedApiEndpoints
+
+Copy them into the new setting with the following command. As with the deprecated setting, the endpoints should be comma-separated.
 
 bin/asadmin create-jvm-options '-Ddataverse.api.blocked.endpoints=<current :BlockedApiEndpoints>'
 
diff --git a/doc/sphinx-guides/source/installation/config.rst b/doc/sphinx-guides/source/installation/config.rst
@@ -3184,9 +3184,13 @@ Can also be set via any `supported MicroProfile Config API source`_, e.g. the en
 dataverse.api.blocked.endpoints
 +++++++++++++++++++++++++++++++
 
-A comma-separated list of API endpoints that should be blocked. For example:
+A comma-separated list of API endpoints that should be blocked. A minimal example that blocks endpoints for security reasons:
 
-``./asadmin create-jvm-options '-Ddataverse.api.blocked.endpoints=api/datasets/:persistentId/versions/:versionId/files,api/files/:id'``
+``./asadmin create-jvm-options '-Ddataverse.api.blocked.endpoints=api/admin,api/builtin-users'``
+
+Another example:
+
+``./asadmin create-jvm-options '-Ddataverse.api.blocked.endpoints=api/admin,api/builtin-users,api/datasets/:persistentId/versions/:versionId/files,api/files/:id'``
 
 Defaults to an empty string (no endpoints blocked), but, in almost all cases, should include at least ``admin, builtin-users`` as a security measure.
 
