*In otherwords the /pages endpoint returns alist of all pages that a given user is allowed to see.*
Interesting. I wasn't able to reproduce this on the master branch with jane.doe as the user (who doesn't have admin rights). She can see everyone's pages. Might I be doing something wrong? Or might the master branch be outdated relative to the Angular branch in this regard? *there is a "pages for render" endpoint* Oh, really? Awesome! Is this documented somewhere? On Thu, Aug 21, 2014 at 2:25 PM, Erin Noe-Payne <[email protected]> wrote: > In concept the /pages endpoint is only accessible as a logged in user, > and the list of pages returned to a given user will always be filtered > via their permissions. In otherwords the /pages endpoint returns a > list of all pages that a given user is allowed to see. > > Regarding the needs of the angular application, there is a "pages for > render" endpoint, because a page or pages need to be composed with its > regions, widgets, and security tokens before the widgets can actually > be rendered for the client. > > On Thu, Aug 21, 2014 at 12:04 PM, Jmeas Apache <[email protected]> > wrote: > > Hey there folks! > > > > I'm looking at the endpoints for pages, which are specced out here > > <http://wiki.apache.org/rave/RESTAPI>, and I have some questions for ya. > > > > One questions regards security and privacy. It seems that the /pages > > endpoint returns the pages for every user, and is also accessible to > every > > user – even users who aren't admins. Would it be preferable for users to > > only be allowed to see their own pages, for the sake of security and > > privacy? > > > > Another problem I see is that there's no way to get the pages for just a > > single user. In the Angular app, when Jane Doe loads her home page all > that > > the API needs to give back are Jane Doe's pages. That's the most valuable > > endpoint, I think, but I'm not seeing it listed on the spec. > > > > In fact, I might go so far as to say that, from the perspective of the > > frontend, that's the *only *endpoint that we need. > > > > So the second suggestion is that we add some new endpoints for getting > the > > pages back for a specific user. And you only get data back if you are > that > > user or you're an admin. > > > > What do y'all think? > > > > James >
