Permissions

Grape permissions are based in roles. In this page we describe all current available roles and permissions.

Restrict group access

Restrict who can post a message

Three steps are needed to restrict who can post a message to a group:

  1. Discover the id of the role you need
  2. Discover the content type of your target object, that is, the object for which permission is required
  3. Restrict the permission for the target object for the role you want.

Example

For example, to create a group where only the group admins can post messages and others can just read (announcement channels), the steps are:

  1. First, create the group as usual

  2. Then, you need to get the ID of role admin, for your organization. The request should be as follows (please, use your organization ID):

    curl --request GET \
      --url 'https://<DOMAIN>/api/rest/access-groups/?origin_ct__app_label=accounts&origin_ct__model=role&label=role_admin&organization=1' \
      --header 'authorization: Token <TOKEN>' \
      --header 'content-type: application/json'
      
    

    The response would be something like:

    {
      "count": 1,
      "next": null,
      "previous": null,
      "results": [
        {
          "id": 41,
          "label": "role_admin",
          "organization": 1,
          "origin_ct": 36,
          "origin_id": 1
        }
      ]
    }
    

    Make sure the response contains the proper role. The only attribute that matters here is id, but all fields are described:

    • label: just a string. It contains the role’s name to facilitate.
    • organization: ID of the organization
    • origin_ct: ID of content type role
    • origin_id: ID of the role
    • id: access group ID. Should be used as access_group on step 4.
  3. Discover the ID of the content_type channel, as we want to restrict access to a channel:

    curl --request GET \
      --url 'https://<DOMAIN>/api/rest/access-content-type/?model=channel&app_label=chat' \
      --header 'authorization: Token <TOKEN>' \
      --header 'content-type: application/json'
    

    The response would be something like:

    {
      "count": 1,
      "next": null,
      "previous": null,
      "results": [
        {
          "id": 23,
          "app_label": "chat",
          "model": "channel"
        }
      ]
    }
    

    Once again, the only attribute that matters here is id, that is the content type ID for channel. It should be used as target_ct on step 4.

  4. Finally, set the permission over a group (assuming the new group has ID 20:

    curl --request POST \
      --url https://<DOMAIN>/api/rest/access-permissions/ \
      --header 'authorization: Token <TOKEN>' \
      --header 'content-type: application/json' \
      --data '{ "permission": "can_post_message", "target_ct": 23, "target_id": 20, "access_group": 41}'
    

    The response would be something like:

    {
      "permission": "can_post_message",
      "target_ct": 23,
      "target_id": 20,
      "access_group": 41
    }
    

    This request will allow only admins to post messages to group 20. The attributes are:

    • permission: is just a label to facilitate checking for this permission. It should always be “can_post_message”
    • target_ct: ID of content_type channel. The value to be used must be the same the id you got on step 3.
    • target_id: ID of the channel that will have it’s permission changed
    • access_group: access group. The value to be used must be the same as the id you got on step 2.

Remove restriction

Removing a restriction is quite easy and all that it requires are two steps:

  1. Discover the permission ID
  2. Delete the permission with this ID

Example

Let’s continue with our example and remove the restriction we added.

  1. Discover the permission ID for can_post_message

    curl --request GET \
      --url 'https://<DOMAIN>/api/rest/access-permissions/?permission=can_post_message&target_id=21&target_ct__model=channel&target_ct__app_label=chat' \
      --header 'authorization: Token <TOKEN>' \
      --header 'content-type: application/json'
    

    You need to set the proper target_id, that is, the ID for the announcement channel. The response would be something like:

        {
          "count": 1,
          "next": null,
          "previous": null,
          "results": [
            {
              "id": 1,
              "permission": "can_post_message",
              "target_ct": 23,
              "target_id": 21,
              "access_group": 46
            }
          ]
        }
    

    The id will be used on step 2.

  2. Delete it!

    curl ---request DELETE \
     --url 'https://<DOMAIN>/api/rest/access-permissions/1/'  \
     --header 'authorization: Token <TOKEN>' \
     --header 'content-type: application/json'