How do the "Permissions" options work?

MarcTabaries · August 6, 2021, 11:45am

Who can explain to me what these options are for in Cockpit ? I can’t find anything in the documentation.

This (in Collections) :

And this (in Singletons) :

Thanks in advance.

abernh · August 6, 2021, 1:17pm

The permissions are for access to the data via the API (and the admin interface) and they are split up into specific “actions”.

Actions and their API endpoints

Collections

Edit collection : /api/collections/updateCollection/COLLECTION_NAME + {data: ...}
View entries : /api/collections/entries/COLLECTION_NAME / /api/collections/entry/COLLECTION_NAME/ENTRY_ID
Edit entries : /api/collections/save/COLLECTION_NAME + {data: {_id: ENTRY_ID, ...}}
Create entries : /api/collections/save/COLLECTION_NAME + {data: {_id: undefined, ...}}
Delete entries : /api/collections/remove/COLLECTION_NAME + {filter: …}

Singletons

Form : admin interface only; no api route - edit the singletons values
Edit : admin interface only; no api route - edit the singletons fields
Get data (like “view”) : /api/singletons/get/SINGLETON_NAME[/FIELD_NAME]

Public (and other groups)

You can set those permissions on a group level.
By default only the “public” group is shown; as soon as you have other groups specified (in your config.php ) you can set also permissions for those other groups; this also means if you have other groups than admin you are setting the permission for those group-users to access that data via the API as well as the admin interface (if the group has admin interface access).

IMPORTANT: If you enable any of the permissions to be public anyone can execute that action on your API without the need of a token or any authentication. E.g. “view entries” → this will make the whole contents of your collection available to anyone who wants to query it.

Collection rule “scripts”

For “create”, “read”, “update”, “delete” you have the possibility to run the request through an additional script. Those are en/abled below the general permissions.

Those scripts are included when the request is processed and receive a $context of the query (data sent, filters set, etc) and allow you to edit that $context (filter, enhance, validate, …) before it is send to the user (on read) / the database (on write)

See

github.com

agentejo/cockpit/blob/568b0124352f6d27df359e8c19a70d2dd1961e87/modules/Collections/bootstrap.php#L659

    
      
                      $link = $v['link'];
                      $items[$k] = cockpit('collections')->_resolveLinkedItem($v['link'], (string)$v['_id'], $fieldsFilter);
                      $items[$k]['_link'] = $link;
                      $items[$k] = cockpit_populate_collection($items[$k], $maxlevel, ($level + 1), $fieldsFilter);
                  }
              }
          
          
    return $items;
          }
          
          
function _check_collection_rule($collection, $rule, $_context = null) {
          
          
    $context = (object) $_context;
          
          
    if (isset($collection['rules'][$rule]['enabled']) && $collection['rules'][$rule]['enabled']) {
          
          
        $_rulefile = cockpit()->path("#storage:collections/rules/{$collection['name']}.{$rule}.php");
          
          
        if ($_rulefile) {
          
          
            $context->user = cockpit()->module('cockpit')->getUser();

Content preview

This can be found here Missing documentation of Content Preview

MarcTabaries · August 9, 2021, 10:36am

Okay, thanks for the feedback.

I understand things better.

On the other hand, I have other questions:

1/ To retrieve the information from my Shop collection, I use this endpoint (this is what is indicated in the documentation) : /api/collections/get/shop?token=XXX (to get all the items in the shop) or /api/collections/get/shop?token=XXX&filter[slug]=XXX (to get a particular item), whereas you seem to be using this endpoint : /api/collections/entries/shop (to get all items in the shop) and /api/collections/entry/shop/XXX (to get a particular item). What I am doing is not right ?

2/ If I activate the “View entries” option in public mode. It is not possible to activate filters or sorting. For example: /api/collections/get/shop&filter[published]=true&sort[order]=1 ?

3/ Where can I find an example of code to put in the script section, in order to have an idea of what it is possible to do ?

abernh · August 9, 2021, 11:26am

1/
/get/ is working but labeled “deprecated”.
/entries/ is the “new” /get/ and you can retrieve none or all or any amount inbetween of entries with the return format {fields: [], entries: [], total: int}

/entry/ returns the first entry fitting the given filter params and returns that data object directly (no wrapper like /entries/)

2/
There is a mistake in how you appended your parameters
wrong with &: /api/collections/get/shop&filter[published]=true&sort[order]=1
correct with ? : /api/collections/get/shop?filter[published]=true&sort[order]=1

And filters and ordering are by default available.

3/
For the “rules” scripts, you can find some in @raffaelj `s script collection

They all operate on the $context variable which is always different for the different rules.
Just search the /modules/Collections/bootstrap.php for _check_collection_rule and you can see how that object is setup in the different cases of create, read, update, delete.

MarcTabaries · August 9, 2021, 12:59pm

Yes, indeed ! I am stupid !

Thanks again for your feedback !

MarcTabaries · August 10, 2021, 1:55pm

Just one more thing.
In the Singletons, Permissions section, the Form option is used to modify the Singleton structure (fields, etc…) directly via the API?

abernh · August 10, 2021, 2:43pm

The singletons can not be edited via the API but only retrieved.

The permission for Form is only for the admin interface route
/cockpit/singletons/form/SINGLETON_NAME
which shows the form to edit a singletons values.

MarcTabaries · August 10, 2021, 3:59pm

Ok, thanks for this feedback !

Topic		Replies	Views
Update collection and singleton via api Support	9	4099	February 9, 2023
A user with specific rights can no longer import/export data. Is it possible to automate backups?	3	439	November 1, 2021
Making singleton calls for getting data Cockpit v2	6	339	August 24, 2022
API Returns fields that have been removed from collection Support	5	1806	June 12, 2019
Core - Field access/permissions missing Cockpit v2	4	329	January 18, 2023