cdupont
commented
6 years ago Proposed endpoint:
GET /permissions
[{
resource: <resource>,
scope: [<scope>]
}]
Response: 200 - OKGET /permissions?resource=<resource>&scopes=scope1,scope2
Response: 200 - OK, 403 - ForbiddenExample:
GET /permissions?resource=MySensor&scopes=sensors:delete
Currently, the api-server check for permissions when the user performs a request on any endpoint. For instance, permissions are checked when the user performs a
DELETE /sensors/XXX. However, sometimes it is necessary to know the permission in advance, before performing any request.For example, the UI could check that the user has permission to delete a resource, before displaying a "delete" icon. The current behavior is that the "delete" icon is displayed by default. If the user clicks on it, a message "unauthorized" might appear.