rilwis
commented
7 years ago Yeah, it's a good idea. I'm not sure if we can just use current_user_can. Probably authentication?
Open btsimonh opened 7 years ago
rilwis
commented
7 years ago Yeah, it's a good idea. I'm not sure if we can just use current_user_can. Probably authentication?
btsimonh
commented
7 years ago If authentication is in place, then we are already authenticated here, and current user is set. (I've used both Oauth1 and a home-brew JWT in this project). If current user is unset, then the current user is zero; for people who do not allow un-authenticated access to rest, it would not get to these functions unless the user is valid. What I'm unsure of is what current_user_can([]) would return if there is no current user, and also what it will DO - I think it may try to check authorisation every time; not very efficient.
rilwis
commented
7 years ago If so, I think current_user_can is enough. It checks if no user is set and will return false for any capability.
One challenge we have is restricting user access to the metadata...... I'm toying with the idea of adding an entry to each metadata defn containing a set of required capabilities (maybe an entry for read, entry for write), and a check with 'current_user_can' against these for data read and data write. Any thoughts/plans on this?