GET, POST, PUT Member permissions #74
Comments
|
I have asked this question before and never worked out how to do it. If you could possibly send me some example code so I can get my head around it :) I'm more than happy to pay for your time as this project need to be finished in the next 2 days! Arrrgh! contact me on [email protected] if you can help solve this issue for me once and for all. I just need to see how permissions would work on a simple DataObject with two different Members. Thanks! |
|
Hmmmm... looks promising RESTfulAPI_GroupExtension How does this work? |
|
Hey @nimeso I'll put the answer here for all to see. Happy to help for free :) Basically the module comes with a few tools/components to make access control easier, but you still have to write a little bit of code yourself for finish the implementation. First some config to enable access control so it checks Member's permissions, by changing RESTfulAPI:
access_control_policy: 'ACL_CHECK_CONFIG_AND_MODEL'This tell the API to both check the requested model Then we need some Permissions and Groups to add Members to and give them different access level to check against. The Group:
extensions:
- RESTfulAPI_GroupExtensionNow we have a set of Groups named Now in the CMS you can add your Members to the groups you want. In your case 'super admin API admin users' would be in the Now that it is all setup we can enforce those permissions on our DataObjects, in their public function canView($member = null)
{
return Permission::check('RESTfulAPI_VIEW', 'any', $member);
}
public function canEdit($member = null)
{
return Permission::check('RESTfulAPI_EDIT', 'any', $member);
}
public function canCreate($member = null)
{
return Permission::check('RESTfulAPI_CREATE', 'any', $member);
}
public function canDelete($member = null)
{
return Permission::check('RESTfulAPI_DELETE', 'any', $member);
}Adding this code to all the DataObjects is a bit laborious, that could probably be added to a DataExtension in the future... All this should get it working. Try it out and let me know. |
|
Wow! Perfect and easy!
Thank you, your a life saver.
…On Thu, Nov 24, 2016 at 8:52 PM, Thierry François ***@***.***> wrote:
Hey @nimeso <https://github.com/nimeso> I'll put the answer here for all
to see. Happy to help for free :)
Basically the module comes with a few tools/components to make access
control easier, but you still have to write a little bit of code yourself
for finish the implementation.
First some config to enable access control so it checks Member's
permissions, by changing access_control_policy
RESTfulAPI:
access_control_policy: 'ACL_CHECK_CONFIG_AND_MODEL'
This tell the API to both check the requested model api_access config and
then check permission on the model through canView/Edit/Create/Delete.
Then we need some Permissions and Groups to add Members to and give them
different access level to check against.
The RESTfulAPI_GroupExtension comes with a set of basic API Permissions
and Groups that can be used. We'll just add it in our config:
Group:
extensions:
- RESTfulAPI_GroupExtension
Now we have a set of Groups named restfulapi-readers, restfulapi-editors
and restfulapi-administrators that have different sets of Permissions
(view only, view+edit+create and all).
Now in the CMS you can add your Members to the groups you want. In your
case '*super admin API admin users*' would be in the
restfulapi-administrators group and '*content API users*' would be in the
restfulapi-readers group.
Now that it is all setup we can enforce those permissions on our
DataObjects, in their canView/Edit/Create/Delete methods. So you would
have to add this to all the DataObjects accessible via the API:
public function canView($member = null) { return Permission::check('RESTfulAPI_VIEW', 'any', $member); } public function canEdit($member = null) { return Permission::check('RESTfulAPI_EDIT', 'any', $member); } public function canCreate($member = null) { return Permission::check('RESTfulAPI_CREATE', 'any', $member); } public function canDelete($member = null) { return Permission::check('RESTfulAPI_DELETE', 'any', $member); }
Adding this code to all the DataObjects is a bit laborious, that could
probably be added to a DataExtension in the future...
All this should get it working. Try it out and let me know.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#74 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABtn5eujs3mFbFYFw4WL0NBe6TDBKfUjks5rBUI1gaJpZM4K7H9Y>
.
--
q-p
/\"/\
(`=*=') JAMIE BARKER
^---^`-._
P: +64 3 338 2482
Skype: jam.dog
|
|
Glad it all worked out! |
I have created two api Members and I'm using token authentication. Each Member has a unique API Key
I've changed the permissions for each Member under the permissions tab for each user in the CMS so that the 'content API user' only has 'Access records through the RESTful API' checked BUT I can still POST, PUT records using the users API key?
I hope thats not to confusing
The text was updated successfully, but these errors were encountered: