REST - handling multiple GET URLs with permissions

pixelmedia · 2023-05-18 02:54:20 UTC

Good afternoon,
Currently using a REST resource to get the content from a handful of squiz resources. Each of these resources does not have public read access.

What is the best way in handling permissions for this? The resources the rest resource are pointing to all have read permissions allocated to a squiz user account.

Can these credentials be passed through via the header or via authentication type?

I have not been able to achieve a solution for this which doesn’t result in a number of login prompts, which based on which is filled first will only return that specific data.

Thank you.

isimmons · 2023-05-22 01:44:13 UTC

Hi,

On the REST asset, you can use the ‘Matrix Cookie Passthrough’ authentication method, enter the username and password for a Matrix user with the relevant permissions to the assets (assuming they are in the same instance of Matrix), and then it will be treated as if that user logged in and requested those assets.

The password will not be shown on the details screen after you Save/Commit, so it should be safe to use your own admin user details, but obviously if your user is later removed for some reason, it will need to be changed to another. Sometimes it’s useful to create a new user just for this, with the relevant permissions for that reason.

Hope that helps!
– iain

pixelmedia · 2023-06-01 22:30:10 UTC

Thanks @isimmons
Will the page permissions still be honoured if the matrix cookie passthrough approach is used. IE - remove public read from the final REST resource?

isimmons · 2023-06-01 23:14:48 UTC

Hi @pixelmedia,

It will send the REST request using the permissions of the user whose username and password you use, but you can control who sees the result/response by changing permissions on the REST Resource asset itself.

Hope that makes sense.