Open nimeso opened 7 years ago
I have asked this question before and never worked out how to do it. If you could possibly send me some example code so I can get my head around it :) I'm more than happy to pay for your time as this project need to be finished in the next 2 days! Arrrgh! contact me on jamie@plattar.com if you can help solve this issue for me once and for all. I just need to see how permissions would work on a simple DataObject with two different Members. Thanks!
Hmmmm... looks promising
RESTfulAPI_GroupExtension my members are in different groups already with correct permissions set.
How does this work?
Hey @nimeso I'll put the answer here for all to see. Happy to help for free :)
Basically the module comes with a few tools/components to make access control easier, but you still have to write a little bit of code yourself for finish the implementation.
First some config to enable access control so it checks Member's permissions, by changing access_control_policy
RESTfulAPI:
access_control_policy: 'ACL_CHECK_CONFIG_AND_MODEL'
This tell the API to both check the requested model api_access
config and then check permission on the model through canView/Edit/Create/Delete
.
Then we need some Permissions and Groups to add Members to and give them different access level to check against.
The RESTfulAPI_GroupExtension
comes with a set of basic API Permissions and Groups that can be used. We'll just add it in our config:
Group:
extensions:
- RESTfulAPI_GroupExtension
Now we have a set of Groups named restfulapi-readers
, restfulapi-editors
and restfulapi-administrators
that have different sets of Permissions (view only, view+edit+create and all).
Now in the CMS you can add your Members to the groups you want. In your case 'super admin API admin users' would be in the restfulapi-administrators
group and 'content API users' would be in the restfulapi-readers
group.
Now that it is all setup we can enforce those permissions on our DataObjects, in their canView/Edit/Create/Delete
methods. So you would have to add this to all the DataObjects accessible via the API:
public function canView($member = null)
{
return Permission::check('RESTfulAPI_VIEW', 'any', $member);
}
public function canEdit($member = null)
{
return Permission::check('RESTfulAPI_EDIT', 'any', $member);
}
public function canCreate($member = null)
{
return Permission::check('RESTfulAPI_CREATE', 'any', $member);
}
public function canDelete($member = null)
{
return Permission::check('RESTfulAPI_DELETE', 'any', $member);
}
Adding this code to all the DataObjects is a bit laborious, that could probably be added to a DataExtension in the future...
All this should get it working. Try it out and let me know.
Wow! Perfect and easy! Thank you, your a life saver.
On Thu, Nov 24, 2016 at 8:52 PM, Thierry François notifications@github.com wrote:
Hey @nimeso https://github.com/nimeso I'll put the answer here for all to see. Happy to help for free :)
Basically the module comes with a few tools/components to make access control easier, but you still have to write a little bit of code yourself for finish the implementation.
First some config to enable access control so it checks Member's permissions, by changing access_control_policy
RESTfulAPI: access_control_policy: 'ACL_CHECK_CONFIG_AND_MODEL'
This tell the API to both check the requested model api_access config and then check permission on the model through canView/Edit/Create/Delete.
Then we need some Permissions and Groups to add Members to and give them different access level to check against.
The RESTfulAPI_GroupExtension comes with a set of basic API Permissions and Groups that can be used. We'll just add it in our config:
Group: extensions:
- RESTfulAPI_GroupExtension
Now we have a set of Groups named restfulapi-readers, restfulapi-editors and restfulapi-administrators that have different sets of Permissions (view only, view+edit+create and all).
Now in the CMS you can add your Members to the groups you want. In your case 'super admin API admin users' would be in the restfulapi-administrators group and 'content API users' would be in the restfulapi-readers group.
Now that it is all setup we can enforce those permissions on our DataObjects, in their canView/Edit/Create/Delete methods. So you would have to add this to all the DataObjects accessible via the API:
public function canView($member = null) { return Permission::check('RESTfulAPI_VIEW', 'any', $member); } public function canEdit($member = null) { return Permission::check('RESTfulAPI_EDIT', 'any', $member); } public function canCreate($member = null) { return Permission::check('RESTfulAPI_CREATE', 'any', $member); } public function canDelete($member = null) { return Permission::check('RESTfulAPI_DELETE', 'any', $member); }
Adding this code to all the DataObjects is a bit laborious, that could probably be added to a DataExtension in the future...
All this should get it working. Try it out and let me know.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/colymba/silverstripe-restfulapi/issues/74#issuecomment-262711548, or mute the thread https://github.com/notifications/unsubscribe-auth/ABtn5eujs3mFbFYFw4WL0NBe6TDBKfUjks5rBUI1gaJpZM4K7H9Y .
--
q-p
/\"/\
(=*=') JAMIE BARKER ^---^
-._
P: +64 3 338 2482 Skype: jam.dog
Glad it all worked out!
I have created two api Members and I'm using token authentication. Each Member has a unique API Key
I've changed the permissions for each Member under the permissions tab for each user in the CMS so that the 'content API user' only has 'Access records through the RESTful API' checked BUT I can still POST, PUT records using the users API key?
I hope thats not to confusing