Permissions check upon API calls

Install and configure FormaLMS and DoceboCE
Post Reply
sander
Newbie
Posts: 4
Joined: Wed Jun 03, 2020 9:06 am

Permissions check upon API calls

Post by sander »

Hi again, I'm fooling around with rest API calls, and I found some possible enhancements to suggest.
When calling particular actions, the API should check if the authenticated user has the permission to do that action.
Moreover, if the action involves another user or course, the API should check if the authenticated user has permission on that object.

Example:

let's say we're authenticating with an Administrator (not a God Admin) and he's calling user API, userdetails action on a certain user X.

In my opinion we should first check the authenticated user has permission to view users, and then if he has visibility on user X.

Differently, we should resign ourselves to the fact that the authenticated user will always have God privileges.

Post Reply