What are the Slack Archives?
Itโs a history of our time together in the Slack Community! Thereโs a ton of knowledge in here, so feel free to search through the archives for a possible answer to your question.
Because this space is not active, you wonโt be able to create a new post or comment here. If you have a question or want to start a discussion about something, head over to our categories and pick one to post in! You can always refer back to a post from Slack Archives if needed; just copy the link to use it as a reference..
Hello. I have few questions about Glue API. 1. Is there any way to restrict API access for users? Fo
Hello. I have few questions about Glue API.
1. Is there any way to restrict API access for users? For example i want to give access only to orders API for certain user. How can i do it? As i see you have user roles but this only for backend users. And to access API with token you are using frontend users.
2. Why authentication is made using frontend users? Theoretically in this case each user, that has been registered in the shop can fetch any data using API. Even with access token. Or am I missing smth?
Thanks
Comments
-
Hey Alex!
In general Glue API is a storefront API, so guest customer or a registered customer (what you call a frontend user) is the actor there, just like in yves. It will be automatically restricted to seeing only the things that are available without any restrictions (like products or categories - anyone opening a website can access that) or only those available to him (order placed by the customer, her addresses or profile info)
Restricting the access per customer is not OOTB, it can be implemented with the
ControllerBeforeActionPluginInterface
You can also look at what customer access feature is offering, but I do not think it will cover your case since it is meant to forbid guest customers access.0 -
I do not get what you mean by
fetch any data using API
. Sure it is the case. This is what we mean it to be like0 -
i mean that if iโm a registered customer and i know the endpoint i can fetch orders from other users, other customers data.
0 -
it is not very secure, or?
0 -
How is it possible? Have you tried it on your own?
0 -
Trying to get a resource of another customer (in this case - order) you'll get something like
{ "errors": [ { "code": "801", "status": 404, "detail": "Can't find order by the given order reference" } ] }
0 -
ah yeah. i missunderstood the Eugeniaโs answer.
but you dont have backend api at all right?0 -
We have Zed API which is Beta but is useful with some additional efforts. @UKJSE6T47 could give more info here.
0 -
backend api (also order management) is on the roadmap at the moment, thatโs correct!
0 -
ok. thanks. now everything is clear. i thought that glue api is backend api. that is why i asked such questions
0
Categories
- All Categories
- 42 Getting Started & Guidelines
- 7 Getting Started in the Community
- 8 Additional Resources
- 7 Community Ideas and Feedback
- 76 Spryker News
- 930 Developer Corner
- 788 Spryker Development
- 89 Spryker Dev Environment
- 362 Spryker Releases
- 3 Oryx frontend framework
- 35 Propel ORM
- 68 Community Projects
- 3 Community Ideation Board
- 30 Hackathon
- 3 PHP Bridge
- 6 Gacela Project
- 26 Job Opportunities
- 3.2K ๐ Slack Archives
- 116 Academy
- 5 Business Users
- 370 Docker
- 551 Slack General
- 2K Help
- 75 Knowledge Sharing
- 6 Random Stuff
- 4 Code Testing
- 32 Product & Business Questions
- 70 Spryker Safari Questions
- 50 Random