API limitations set by user roles

Hey guys - im trying to limit an API key to read-only specific models (for security),
I thought this would of been built in, because a user role is associated to the API key on setup.
Although my limited user role will still completely list out all models and do a full read when using client.items.all(); with datocms-client

Is this possible or is this a feature that needs to be built as well?

Actually it looks like user roles are checked when I use the client.items.find function but items.all ignores any whitelist/blacklist and allows you to read the full site

I’ve added a github issue here: https://github.com/datocms/js-datocms-client/issues/74

thank you for this, we’ll get back as soon as possible, looks like a bug on our end

hey @tom you’ve found something that currently is a weak spot of Dato :frowning:

Unfortunately we don’t have a way to manage properly permissions on modular blocks. So what you are getting is a list of all the records for which you have permission AND all the modular blocks.

One thing that you can do is to also pass the filter with the models that you would like to retrieve, so that you filter out the modular blocks that you are not expecting.

Sorry for this, we are planning to release a new version of the API with this change, but unfortunately it’s quite a big change internally at the moment.

It’s more that the api usage in this instance really needs to be locked down to a specific model as it’s a public facing API call, so providing a filter doesnt really solve the security issue listed here, no problem ill find another way of doing it - please let me know if this issue gets solved in the future.

it surely will. We’ll start soon work on a new version of the API that will fix that and also provide other benefits. We’ve been thinking a lot about that, so it will happen soon!

1 Like