espenmn
(Espen)
1
How can I get user information from /@@user restApi endpoint without giving that user permissions to edit user (information).
PS: I can list each user if I add 'plone.restapi: Access Plone user information' to myuser;
curl -i -X GET mysite/@users/some-one -H "Accept: application/json" -k --user myuser:mypassword
But I can not 'list all'
curl -i -X GET mysite/@users -H "Accept: application/json" -k --user myuser:mypassword
(someone is making a desktop app and needs to fetch user information, but I dont want that user / login to be able to edit 'anything' )
seanupton
(Sean Upton)
2
If you want something more granular than the permission that's there now, you likely need to:
-
Implement your own new permission in rolemap within your policy product instead of Plone Site Setup: Users and Groups.
-
Monkey patch in your policy plone.restapi.services.user.get.UsersGet.has_permission_to_enumerate (original here) to use such a custom permission.
espenmn
(Espen)
3
Thanks.
I ended up by making a new role (rolemap.xml, 'can list users') and a new restApi endpoint.
1 Like
djay
(Dylan Jay)
4
You actually can already but its a bug. The list of users is returned by the querystring endpoint. @seanupton @espenmn