riccox
Allow connecting with a read-only key
I'd like to connect to a meilisearch server and use these tools for the readonly calls.
For example:
'https://ms-adf78ae33284-106.lon.meilisearch.io',
'a63da4928426f12639e19d62886f621130f3fa9ff3c7534c5d179f0f51c4f303'
are available from meilisearch to run readonly demos.
So instead of master-api-key, I'd like just api-key, and then I believe it can query for what permissions it has the the application can only allow those calls.
I can share a key that has more permissions (all read-only) when you're ready to test this.
Surprisingly, the key I shared allows searches, but doesn't allow seeing the settings, which means it's impossible to know what facets are available.
@tacman
For this idea, my current opinion is creating a read-only mode for app. It can be enabled by env variable.
but in my case, I have keys with readonly settings that fail. I don't run it locally, I run from your website, so I don't have control of the env vars.
A readonly key opens up all sorts of possibilities.
In particular, I can share the readonly key publicly, I don't want to share the master key except when creating/populating indexes.
It will take a long time to implement this function if this app need to toggle functions based on permissions of keys.
Lots of parts need to be refactored.
Yeah, I was afraid of that. Obviously, you can get the permissions from the key itself, but then every section of the code that implemented a call would need to check it.
I'm trying to encourage meilisearch to open up their search servers for readonly access, it would make their demos MUCH easier to code. Most of their demos require a huge effort to run locally, because most of the work is in building the index. If they provided it, demos could skip the time-consuming part of building the index and creating the proper settings.
And your tools would be perfect for inspecting those indexes during development.