How do the "Permissions" options work?

abernh · August 6, 2021, 1:17pm

The permissions are for access to the data via the API (and the admin interface) and they are split up into specific “actions”.

Actions and their API endpoints

Collections

Edit collection : /api/collections/updateCollection/COLLECTION_NAME + {data: ...}
View entries : /api/collections/entries/COLLECTION_NAME / /api/collections/entry/COLLECTION_NAME/ENTRY_ID
Edit entries : /api/collections/save/COLLECTION_NAME + {data: {_id: ENTRY_ID, ...}}
Create entries : /api/collections/save/COLLECTION_NAME + {data: {_id: undefined, ...}}
Delete entries : /api/collections/remove/COLLECTION_NAME + {filter: …}

Singletons

Form : admin interface only; no api route - edit the singletons values
Edit : admin interface only; no api route - edit the singletons fields
Get data (like “view”) : /api/singletons/get/SINGLETON_NAME[/FIELD_NAME]

Public (and other groups)

You can set those permissions on a group level.
By default only the “public” group is shown; as soon as you have other groups specified (in your config.php ) you can set also permissions for those other groups; this also means if you have other groups than admin you are setting the permission for those group-users to access that data via the API as well as the admin interface (if the group has admin interface access).

IMPORTANT: If you enable any of the permissions to be public anyone can execute that action on your API without the need of a token or any authentication. E.g. “view entries” → this will make the whole contents of your collection available to anyone who wants to query it.

Collection rule “scripts”

For “create”, “read”, “update”, “delete” you have the possibility to run the request through an additional script. Those are en/abled below the general permissions.

Those scripts are included when the request is processed and receive a $context of the query (data sent, filters set, etc) and allow you to edit that $context (filter, enhance, validate, …) before it is send to the user (on read) / the database (on write)

See

github.com

agentejo/cockpit/blob/568b0124352f6d27df359e8c19a70d2dd1961e87/modules/Collections/bootstrap.php#L659

    
      
                      $link = $v['link'];
                      $items[$k] = cockpit('collections')->_resolveLinkedItem($v['link'], (string)$v['_id'], $fieldsFilter);
                      $items[$k]['_link'] = $link;
                      $items[$k] = cockpit_populate_collection($items[$k], $maxlevel, ($level + 1), $fieldsFilter);
                  }
              }
          
          
    return $items;
          }
          
          
function _check_collection_rule($collection, $rule, $_context = null) {
          
          
    $context = (object) $_context;
          
          
    if (isset($collection['rules'][$rule]['enabled']) && $collection['rules'][$rule]['enabled']) {
          
          
        $_rulefile = cockpit()->path("#storage:collections/rules/{$collection['name']}.{$rule}.php");
          
          
        if ($_rulefile) {
          
          
            $context->user = cockpit()->module('cockpit')->getUser();

Content preview

This can be found here Missing documentation of Content Preview

Topic		Replies	Views
Permission Documentation Support	3	4062	August 15, 2018
Update collection and singleton via api Support	9	4268	February 9, 2023
(Beginner) Single entry read permission Support	4	525	January 19, 2022
A user with specific rights can no longer import/export data. Is it possible to automate backups?	3	518	November 1, 2021
Give user access to only certain collections?	3	533	September 22, 2020