New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Request] an API endpoint to find out what permissions are granted with the provided key #3418
Comments
There already is something that you can do now, which is doing a passive login request against
However it might indeed make sense to provide a list of the actual permission identifiers associated with the user instead of the needs defined therein since those might change internally. Since I'll definitely need another RC based on the current feedback, I'll see that I can look into this for that still. Makes sense to have as part of the new permission system right from the get go. |
For the record, I can work with the passive login solution especially since that also returns data in 1.3.x. |
As suggested by @fieldOfView. Implements #3418
That is now implemented by the above commit under |
Awesome. For the benefit of anyone reading this issue and not the code: the endpoints are actually It is a bit strange that the output of |
Yeah, I'm not completely happy with that either yet, but didn't have a good idea... maybe |
I don't actually mind the |
I fear it could get confusing in the future ("was it
It's permissions and needs actually. The needs are what is actually used to decide if some action is allowed or not by flask. Can be something like "role:settings" or "group:admin" or "id:foosel" and so on. Permissions only model the "role:*" stuff of that. So you assign a permission to a user, that contains one or more role needs. How the needs are named and such is an implementation detail that while it's being exposed on the API (for reasons which right now I'm not even sure about anymore) it shouldn't actually be considered stable or at least stably named. I can vouch for the |
Update documentation accordingly. See also #3418
Slight change of plans. It now lives under |
Documentation is updated as well (staging only for now). |
1.4.0 has been released. |
Is your feature request related to a problem? Please describe.
OctoPrint 1.4.0 introduces granular permissions. Given a (limited) list of permissions available for the user accessing OctoPrint through the API, an application may want to disable parts of its UI (eg disable the jog controls if the Permissions.CONTROL permission is not granted for the user).
Currently there is no way for an application to query the user and/or permissions that are granted to the user accessing the API. It is possible to query this information if the user name is known, but if an application is only given an appkey to work with, there is no way for the application to know the user name associated with the appkey.
Describe the solution you'd like
An API endpoint to list the available permissions, eg:
/api/access/permissions/available
. This would return either a subset of '/api/access/permissions' (with all the metadata for each permission) or only a list of permission keys.An alternative that would have other benefits is some way to find out the username that is associated with the provided key, which could then be used with the `/api/access/users/[username]' endpoint. It could also be an option to allow the API key as an argument in '/api/access/users/[username or API key]'.
Describe alternatives you've considered
The current alternative is for the application just to try and respond if a permission denied error is returned by OctoPrint and ask the user for forgiveness.
Additional context
I can do the work adding the API endpoint(s) if we can come up with what would be the most optimal solution.
The text was updated successfully, but these errors were encountered: