mb-rest-api icon indicating copy to clipboard operation
mb-rest-api copied to clipboard

Published 20 hours ago verified publisher icon wpmetabox

access control on metadata

Open btsimonh opened this issue 7 years ago • 3 comments

One challenge we have is restricting user access to the metadata...... I'm toying with the idea of adding an entry to each metadata defn containing a set of required capabilities (maybe an entry for read, entry for write), and a check with 'current_user_can' against these for data read and data write. Any thoughts/plans on this?

btsimonh avatar Apr 12 '17 08:04 btsimonh

Yeah, it's a good idea. I'm not sure if we can just use current_user_can. Probably authentication?

rilwis avatar Apr 12 '17 08:04 rilwis

If authentication is in place, then we are already authenticated here, and current user is set. (I've used both Oauth1 and a home-brew JWT in this project). If current user is unset, then the current user is zero; for people who do not allow un-authenticated access to rest, it would not get to these functions unless the user is valid. What I'm unsure of is what current_user_can([]) would return if there is no current user, and also what it will DO - I think it may try to check authorisation every time; not very efficient.

btsimonh avatar Apr 12 '17 12:04 btsimonh

If so, I think current_user_can is enough. It checks if no user is set and will return false for any capability.

rilwis avatar Apr 13 '17 07:04 rilwis