How to use permissions?
A brief example of how permissions would work in a real-world application.
Overview
It is recommended to read through our permissions documentation before diving into this example.
To demonstrate the use of permissions, let's image a web app for the community of Coffee Aficionados, where users can browse coffee beans and basic and premium recipes.
Scenario
Everybody can get a list of coffee beans, but only moderators can create and delete new ones (2 scenarios: by role and with Deskree Admin Token).
Basic recipes can only be seen and managed by registered users.
Private recipes can only be seen and managed by users who have a "premium_member" role.
Only moderators can delete recipes.
The recipes are private. Therefore, nobody can get a list of them, only by uid.
Comments can be seen and managed by registered users.
Solution
Database
For this app, let's have the following database tables:
Users (default)
coffeeBeans
basicRecipes
privateRecipes
comments
Permissions
/api/v1/rest/collections/coffeebeans
| Method | Permission |
|---|---|
GET | Public |
GET_UID | Public |
POST | Roles ["moderator] |
PATCH | Author |
DELETE | Author |
/api/v1/rest/collections/basicrecipes
| Method | Permission |
|---|---|
GET | Private |
GET_UID | Private |
POST | Private |
PATCH | Author |
DELETE | Roles ["moderator] |
/api/v1/rest/collections/privaterecipes
| Method | Permission |
|---|---|
GET | Admin |
GET_UID | Author |
POST | Roles ["premium_member] |
PATCH | Author |
DELETE | Roles ["moderator] |
/api/v1/rest/collections/comments
| Method | Permission |
|---|---|
GET | Private |
GET_UID | Private |
POST | Private |
PATCH | Author |
DELETE | Author |
Last updated