Version: 1.0.0

Permissions - Summary

Potion's APIs will allow you to set very detailed rights restrictions to your users. If requested, all your API's responses will adapt to what a user can do and it will be really easy for you to handle user's permissions.


Core concept

Potion will let you create all the permissions sets you want. A permission set is applied to a user who then inherits all the rights you decide to allow him.

A permission set will regroup all the different kind of actions a user can perform. We provide a very intuitive interface to configure each one of your sets. A set will look like this :

Handling permissions

By default all the Potion's APIs endpoints won't handle permissions, you will have to provide a with_rights parameter with true value to all your calls if you want permissions to be applied.

The parameter for_user_id can be used in two ways. You can just add it to your query in order to return a non-connected users permissions, or you can add the id of your targeted user, next to this parameter.

Nothing better than an exemple. Suppose you have created a user role that is not authorized to display pages created on your community. A user, using this role, want to display all the articles.

Normally you will query this endpoint /public-api/v1/articles with a HTTP GET request, but if we do that, we will receive all the created articles, even those created by or in pages. To return only the available articles for your user, perform this query /public-api/v1/articles?with_rights=true&for_user_id=USER_ID, you will then receive all the articles, except those publicated by or in pages.

Note that if you have created a non connected user permission set, simply call /public-api/v1/articles?with_rights=true&for_user_id= without any specific user id.