You can customize each individual endpoint permission as well as apply the same permission to all endpoints via
Apply to allthe selector in the top right corner of the page. Below are the permission types we offer.
Endpoints with permission type set to public are available for anyone to access without providing an authorization header.
CAUTION: having endpoints' permissions set to public means that anybody on the internet can access this endpoint.
If an endpoint has permission set to "admin", it means it will only be accessible when a valid
deskree-admintoken is provided in the header of the request.
Deskree Admin Token allows skipping all the set permission. This is a great tool when you want endpoints to be only accessed from a specific front-end implementation, such as admin panels.
Few important considerations:
- The system does not track the author's property when using an admin token.
- You can use Admin permission as a way to "disable" certain endpoints and make them inaccessible to anyone other than yourself or your Deskree teammates.
- You can provide a Deskree Admin token regardless of the permissions set by an endpoint to completely skip the middleware part. In the other words, it overwrites the permissions.
DANGER: Always keep your Deskree Admin token secure as it is a very powerful token that may allow unwanted access to your data if compromised. If you believe that is the case, you can always refresh your token.
- If permission is set to "author", only the user who created the object will be able to access it, which is determined by the token provided in the authorization header.
- In case a token is not provided when creating an objectt, the author property is null.
Author permission is only available for GET_UID, PATCH, and DELETE requests. It is also only applicable to database permissions and, hence, is not present in integration permission since we cannot track the creator of objects in third-party APIs.
You can add an unlimited number of roles in the Roles tab of the Middleware page
To access endpoints where permission is set for certain roles, a user must have this role when making the request.
- We fetch user data based on the authorization token provided when making the request.
- If the endpoint permission is set to multiple roles, a user must have any one of those roles to be able to access the data.
- For example: if the endpoint permission is set to roles of "buyer" and "admin", the user that has either "buyer" or "admin" or both roles will be able to access it.
- The role of the user is stored in the
rolescolumn of the
Userstable as an array of role UIDs.