In the following example I get the fullname of the author of an item using the action getUser(userId) to show it in the view. That works fine but only if I am logged in. How do I show it for anonymous users as well?
And another question: How do I find out that the user-data will end up in state.users.user and not in state.user or in state.deadparrot?
I found the answer to the first question. The permission plone.restapi: Access Plone user information is used in the @users endpoint that is used by the action getUser. By default that is only granted to Manager (not even Site Administrator).
If I grant that permission to Anonymous it works.
Doing that can obviously be a security-problem depending on your use-case.
I will probably overwrite the endpoint to only return fullname and home_page in case the user is not a Manager.
Interesting... I'm facing a similar situation, except, I want to check for the user's roles.
I don't want to give anonymous that much control of the @users endpoint.
Perhaps I need a simple @myroles endpoint that reports a user's current roles