Referring to:
I think the long term solution to this is a user settings page where this can be set up, and other settings can be modified by users with sufficient access. I think it's also maybe not a bad idea to set up an api.foo.bar style permission, where users could use paths of the API only with the correct permissions.
Originally posted by @b-rowan in #275
To enhance security and access control, we should consider implementing API path-based permissions. This would allow users to access specific API endpoints only if they have the necessary permissions, adding an extra layer of security beyond authentication.
Proposed Approach:
- Introduce a new permission system where API paths (or groups of paths) are mapped to required user roles or permissions.
- Define a permission format like
api.foo.bar to control access to different API sections.
- Enforce these permissions at the API level, ensuring users can only call endpoints they are authorized for.
- Provide a way for administrators to configure and assign these permissions to users.
This would complement the existing authentication system and help enforce least-privilege access.
Would love to hear thoughts on this approach and any potential implementation considerations!
Referring to:
Originally posted by @b-rowan in #275
To enhance security and access control, we should consider implementing API path-based permissions. This would allow users to access specific API endpoints only if they have the necessary permissions, adding an extra layer of security beyond authentication.
Proposed Approach:
api.foo.barto control access to different API sections.This would complement the existing authentication system and help enforce least-privilege access.
Would love to hear thoughts on this approach and any potential implementation considerations!