In concept the /pages endpoint is only accessible as a logged in user, and the list of pages returned to a given user will always be filtered via their permissions. In otherwords the /pages endpoint returns a list of all pages that a given user is allowed to see.
Regarding the needs of the angular application, there is a "pages for render" endpoint, because a page or pages need to be composed with its regions, widgets, and security tokens before the widgets can actually be rendered for the client. On Thu, Aug 21, 2014 at 12:04 PM, Jmeas Apache <[email protected]> wrote: > Hey there folks! > > I'm looking at the endpoints for pages, which are specced out here > <http://wiki.apache.org/rave/RESTAPI>, and I have some questions for ya. > > One questions regards security and privacy. It seems that the /pages > endpoint returns the pages for every user, and is also accessible to every > user – even users who aren't admins. Would it be preferable for users to > only be allowed to see their own pages, for the sake of security and > privacy? > > Another problem I see is that there's no way to get the pages for just a > single user. In the Angular app, when Jane Doe loads her home page all that > the API needs to give back are Jane Doe's pages. That's the most valuable > endpoint, I think, but I'm not seeing it listed on the spec. > > In fact, I might go so far as to say that, from the perspective of the > frontend, that's the *only *endpoint that we need. > > So the second suggestion is that we add some new endpoints for getting the > pages back for a specific user. And you only get data back if you are that > user or you're an admin. > > What do y'all think? > > James
