How do the "Permissions" options work?

Who can explain to me what these options are for in Cockpit ? I can’t find anything in the documentation.

This (in Collections) :

And this (in Singletons) :

Thanks in advance.

The permissions are for access to the data via the API (and the admin interface) and they are split up into specific “actions”.

Actions and their API endpoints


  • Edit collection : /api/collections/updateCollection/COLLECTION_NAME + {data: ...}
  • View entries : /api/collections/entries/COLLECTION_NAME / /api/collections/entry/COLLECTION_NAME/ENTRY_ID
  • Edit entries : /api/collections/save/COLLECTION_NAME + {data: {_id: ENTRY_ID, ...}}
  • Create entries : /api/collections/save/COLLECTION_NAME + {data: {_id: undefined, ...}}
  • Delete entries : /api/collections/remove/COLLECTION_NAME + {filter: …}


  • Form : admin interface only; no api route - edit the singletons values
  • Edit : admin interface only; no api route - edit the singletons fields
  • Get data (like “view”) : /api/singletons/get/SINGLETON_NAME[/FIELD_NAME]

Public (and other groups)

You can set those permissions on a group level.
By default only the “public” group is shown; as soon as you have other groups specified (in your config.php ) you can set also permissions for those other groups; this also means if you have other groups than admin you are setting the permission for those group-users to access that data via the API as well as the admin interface (if the group has admin interface access).

IMPORTANT: If you enable any of the permissions to be public anyone can execute that action on your API without the need of a token or any authentication. E.g. “view entries” → this will make the whole contents of your collection available to anyone who wants to query it.

Collection rule “scripts”

For “create”, “read”, “update”, “delete” you have the possibility to run the request through an additional script. Those are en/abled below the general permissions.

Those scripts are included when the request is processed and receive a $context of the query (data sent, filters set, etc) and allow you to edit that $context (filter, enhance, validate, …) before it is send to the user (on read) / the database (on write)


Content preview

This can be found here Missing documentation of Content Preview

Okay, thanks for the feedback.

I understand things better.

On the other hand, I have other questions:

1/ To retrieve the information from my Shop collection, I use this endpoint (this is what is indicated in the documentation) : /api/collections/get/shop?token=XXX (to get all the items in the shop) or /api/collections/get/shop?token=XXX&filter[slug]=XXX (to get a particular item), whereas you seem to be using this endpoint : /api/collections/entries/shop (to get all items in the shop) and /api/collections/entry/shop/XXX (to get a particular item). What I am doing is not right ?

2/ If I activate the “View entries” option in public mode. It is not possible to activate filters or sorting. For example: /api/collections/get/shop&filter[published]=true&sort[order]=1 ?

3/ Where can I find an example of code to put in the script section, in order to have an idea of what it is possible to do ?

/get/ is working but labeled “deprecated”.
/entries/ is the “new” /get/ and you can retrieve none or all or any amount inbetween of entries with the return format {fields: [], entries: [], total: int}

/entry/ returns the first entry fitting the given filter params and returns that data object directly (no wrapper like /entries/)

There is a mistake in how you appended your parameters
wrong with &: /api/collections/get/shop&filter[published]=true&sort[order]=1
correct with ? : /api/collections/get/shop?filter[published]=true&sort[order]=1

And filters and ordering are by default available.

For the “rules” scripts, you can find some in @raffaelj `s script collection

They all operate on the $context variable which is always different for the different rules.
Just search the /modules/Collections/bootstrap.php for _check_collection_rule and you can see how that object is setup in the different cases of create, read, update, delete.

Yes, indeed ! I am stupid !

Thanks again for your feedback !

Just one more thing.
In the Singletons, Permissions section, the Form option is used to modify the Singleton structure (fields, etc…) directly via the API?

The singletons can not be edited via the API but only retrieved.

The permission for Form is only for the admin interface route
which shows the form to edit a singletons values.

Ok, thanks for this feedback !