Hey guys - im trying to limit an API key to read-only specific models (for security),
I thought this would of been built in, because a user role is associated to the API key on setup.
Although my limited user role will still completely list out all models and do a full read when using client.items.all(); with datocms-client
Is this possible or is this a feature that needs to be built as well?
Actually it looks like user roles are checked when I use the client.items.find function but items.all ignores any whitelist/blacklist and allows you to read the full site
hey @tom you’ve found something that currently is a weak spot of Dato
Unfortunately we don’t have a way to manage properly permissions on modular blocks. So what you are getting is a list of all the records for which you have permission AND all the modular blocks.
One thing that you can do is to also pass the filter with the models that you would like to retrieve, so that you filter out the modular blocks that you are not expecting.
Sorry for this, we are planning to release a new version of the API with this change, but unfortunately it’s quite a big change internally at the moment.
It’s more that the api usage in this instance really needs to be locked down to a specific model as it’s a public facing API call, so providing a filter doesnt really solve the security issue listed here, no problem ill find another way of doing it - please let me know if this issue gets solved in the future.
it surely will. We’ll start soon work on a new version of the API that will fix that and also provide other benefits. We’ve been thinking a lot about that, so it will happen soon!