Comments (9)
So each log has a has_one to a Member, so a MemberID attribute? So when you login you get the current member ID (here 9) and attributes.
So a GET request like /api/log/?MemberID=9
should do the trick? Assuming Log
is the class name....
You might also be able to get it via /api/Member/9
and enable embedded records for Member...
from silverstripe-restfulapi.
Sure that could work. But I want an authenticated member to only be able to access their own logs... I assume that if I opened that up as above they could edit the url and access any peoples logs...
from silverstripe-restfulapi.
That would be done through your normal canView
checks.
If you set access_control_policy: 'ACL_CHECK_CONFIG_AND_MODEL'
(https://github.com/colymba/silverstripe-restfulapi/blob/master/doc/RESTfulAPI.md) the api will check those canView/Update...
methods on your dataObject. There you can check that whoever is accessing it is the right Member owner of those logs.
With the token auth, the Member that sends the api request gets logged in, so canView can act on it accordingly.
Does that make sense?
from silverstripe-restfulapi.
Hi, sure, seems to, I'll have a go. Cheers!
from silverstripe-restfulapi.
@jonshutt I'm having the exact same use-case in my current app. So maybe my extension can be useful to you: https://gist.github.com/bummzack/2a6c5a3109a4ada75b1c
from silverstripe-restfulapi.
thanks - didn't progress this for a long while, but i'll check out your extension. cheers
from silverstripe-restfulapi.
I'm trying to do similar and can't get this to work.
Seems like canView, etc - relate to the class of object not the specific object itself or am I missing something? For example if I call $this->ID inside the canView function I get null.
from silverstripe-restfulapi.
@tscole the canView/Delete/Update..
methods are called multiple times during the query lifecycle.
Sometimes very early when handling the API request where the ID isn't known yet, in those case the can
method will be called on a singleton
and the ID will not be available. But the check is more than often done again later in the request lifecycle and then it will be passed an actual DataObject
so the ID should be available. If you trace your can
checks, you should get more than 1 request to it.
For example, a DELETE
api request will call api_access_control
twice, once very early when starting to handle the request and before fetching the DataObject
from the database (then the check is done on a signleton) and it is called again a last time just before deleting the actual object (after the object was fetched from the DB). But in the case of a POST
request for example, you will never have an actual ID since we are creating the object...
Hope that makes sense :)
from silverstripe-restfulapi.
Ah, that makes sense. Thanks for responding! I will amend my code and see how I get on.
from silverstripe-restfulapi.
Related Issues (20)
- Embedded Records not working as expected, or at all HOT 2
- Pagination for the Json
- The full configuration for BlogCategories & FeaturedImage
- Setting tokenOwnerClass HOT 2
- password with special characters HOT 1
- Response code 100 when post object has more than 3 relations
- CORS not working - Question really HOT 1
- api/auth/lostPassword -> BadMethodCallException
- New release? HOT 1
- Created, LastEdited never seem to be returned HOT 3
- Specify fields to be returned HOT 2
- default limit? HOT 1
- Access to token on dataobjects HOT 2
- Why convert properties and model names by "lcfirst"? HOT 1
- Lost password existing account disclosure HOT 4
- Can I call multiple dataobject in one api request and response in one json object?
- How to prevent POST requests specifying ID HOT 1
- SilverStripe 4 Support HOT 1
- model_permission_check instanceof Member not namespaced HOT 1
- Getting error: Call to undefined method SilverStripe\Config\Collections\CachedConfigCollection::set()
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from silverstripe-restfulapi.