Protected resources by fe_user

[oliverkroener]

I need some resources to be restricted by e.g. the frontend user.

This means that only the records that belong to a user are loaded, not all of them.

Are you already planning such a feature?

[klamparski]

@okroener As I understand you do not want to completely disable access to endpoint but rather include in response collection only records which matches specific criteria?

We use for that build-in TYPO3 enablecolumns feature (https://docs.typo3.org/m/typo3/reference-tca/master/en-us/Ctrl/Index.html#enablecolumns) because that is the only way which makes sure that records won't be visible not only in API but in whole FE.

If you would like to keep records visible in other places in FE but hidden in API then solution is not yet implemented in t3api but indeed we plan to implement that in future as it seems to be useful.

[oliverkroener]

@klamparski Yes, you are absolutely right. For that case the criteria should match either the fe_user or a fe_group ...

Thank you for mentioning the enablecolumns approach ... that might be sufficient.

If you would like to keep records visible in other places in FE but hidden in API then solution is not yet implemented in t3api but indeed we plan to implement that in future as it seems to be useful.

Maybe a special @T3api\ApiFilter could handle this ... but at the moment I am fine with filtering all elements in FE and API since we plan API first projects and would not need another view.

[kszymukowicz]

What you can already do is however to protect endpoint itself with security and security_post_denormalize.

Examples:

The "object" is model with {id} taken from database

 *        "delete"={
 *              "path"="/model/{id}",
 *              "method"="DELETE",
 *              "security"="frontend.user.isLoggedIn && object.getAuthor().getUid() == frontend.user.userId",
 *          },

or when doing PATCH/PUT you can additionally do checks on incoming data with security_post_denormalize. In that case object has incoming data.

 *          "patch"={
 *              "path"="/model/{id}",
 *              "method"="PATCH",
 *              "security_post_denormalize"="frontend.user.isLoggedIn && object.getAuthor().getUid() == frontend.user.userId",
 *               "security"="frontend.user.isLoggedIn && object.getAuthor().getUid() == frontend.user.userId",
 *          },

[oliverkroener]

@kszymukowicz thank you very much for those efforts and the reply.

I am currently working on a SSO solution with keycloak. Will try to implement that with your API.

When it's ready I will post that also.

Thanks again and keep up the brilliant work!