Using the code from the examples in the readme to have a frontend 'login' via oAuth; When having a user that hasn't Admin access rights and shouldn't be able to log in on the CMS I would expect the user to be able to log in on the OAuth/Resource Server (like Google) from the front end by only having the 'Login to Apps' permission and the sub permission (in this case called 'Login to "Google API" (googleApi) app') enabled for that user. But that isn't enough as it doesn't work without other permissions enabled.
When enabling Admin permission for this user it obviously works, but that's not wanted as the user shouldn't be able to log in on the Control Panel/CMS nor have any admin privileges. So I turned off the Admin permission again and tried the least amount of permissions needed to make the front end authorization of the plugin work.
I found out that next to having the obvious OAuth Client permissions turned on, also the permission General --> Access the control panel needs to be enabled for this user. Like so:
But this still isn't what we want as this user should not be allowed to enter the Control Panel/CMS and therefore we want to be able to keep the 'Access the control panel' permission disabled.
I'm not doing anything by code that needs the Control Panel permission from the module, so it looks like the plugin really wants that permission enabled in order for it to work. I can't think of any reason though why is would need this when the user only needs to log in via front end to use the front end and than needs to get the log in screen from Google (in this case) via oAuth to just authorizing the oAuth server and get data from there (google).
IMO the 'Access the control panel' access permission should not be required to use the plugin as the Control Panel isn't involved when using the front end, or at least I can't think of a thing why it should. And with this permission needing to be enabled this is causing an issue as the user is now permitted to log in on the Control Panel, which we don't want.
Could this permission requirement be removed from the plugin? Or am I missing something here?
Using the code from the examples in the readme to have a frontend 'login' via oAuth; When having a user that hasn't Admin access rights and shouldn't be able to log in on the CMS I would expect the user to be able to log in on the OAuth/Resource Server (like Google) from the front end by only having the 'Login to Apps' permission and the sub permission (in this case called 'Login to "Google API" (googleApi) app') enabled for that user. But that isn't enough as it doesn't work without other permissions enabled.
When enabling Admin permission for this user it obviously works, but that's not wanted as the user shouldn't be able to log in on the Control Panel/CMS nor have any admin privileges. So I turned off the Admin permission again and tried the least amount of permissions needed to make the front end authorization of the plugin work.
I found out that next to having the obvious OAuth Client permissions turned on, also the permission
General --> Access the control panelneeds to be enabled for this user. Like so:But this still isn't what we want as this user should not be allowed to enter the Control Panel/CMS and therefore we want to be able to keep the 'Access the control panel' permission disabled.
I'm not doing anything by code that needs the Control Panel permission from the module, so it looks like the plugin really wants that permission enabled in order for it to work. I can't think of any reason though why is would need this when the user only needs to log in via front end to use the front end and than needs to get the log in screen from Google (in this case) via oAuth to just authorizing the oAuth server and get data from there (google).
IMO the 'Access the control panel' access permission should not be required to use the plugin as the Control Panel isn't involved when using the front end, or at least I can't think of a thing why it should. And with this permission needing to be enabled this is causing an issue as the user is now permitted to log in on the Control Panel, which we don't want.
Could this permission requirement be removed from the plugin? Or am I missing something here?
Hope this makes sense.
Thanks in advance!