-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Users can't view non-owner api #1605
Comments
@frenchbread Would you be interested in this task? |
@bajiat self-assigned |
This issue happening for a reason not being able to fetch Here is a publication that causes this bug: Meteor.publish('apiProxySettings', function (apiId) {
// TODO: determine how to use 'api.userCanEdit()' helper
// which uses 'Meteor.userId()' instead of 'this.userId'
// Placeholders for manager and admin checks
let userIsManager, userIsAdmin;
// Get current userId
const userId = this.userId;
// Check that user is logged in
if (userId) {
// Get API document
const api = Apis.findOne(apiId);
// Check if user is API manager
userIsManager = _.includes(api.managerIds, userId);
// Check if user is administrator
userIsAdmin = Roles.userIsInRole(userId, ['admin']);
// Check if user is authorized to access API proxy settings
if (userIsManager || userIsAdmin) {
return ProxyBackends.find({ apiId });
}
}
}); @brylie What can you suggest here? I think it's okay to return proxy backend data no-matter how's viewing it (authorised or non-authorised user). If we don't want to share this publication to non-authorised user, we'll have to block access to the entire API page (e.g. to redirect user or rise 404 page) |
@frenchbread we may need to call ...
// Check that user is logged in
if (userId) {
...
} else {
// Tell awaiting subscriptions that publication is done
return this.ready();
}
See, Meteor Guide: [Publications and Data Loading - Complex authorization](https://guide.meteor.com/data-loading.html#complex-auth) |
Users can't view the api page, which they are not the owners. Is it bug or feature?
Step to reproduce:
Found result: Spinner always switch on and api view isn't showed
Expected Result: Api view must be showed
The text was updated successfully, but these errors were encountered: