I am working on a realtime plugin with the help of socket.io right now, allowing the user to be notified whenever anyone posts anything successfully on an api.
I only want users to be able to get those information when they are allowed to make a Get request anyway.
Whats the best way to check for permissions generically. Like:
User A listens to a List ob Blog posts.
User B adds a post to the list.
User A is going to be send this information because is listening to the right socket connection.
I have the jwt of user A. How do I verify that user A has permission to look at these blogposts.
Currently everyone can listen to all data which is problematic.
Idealy I want to tab into the existing check for permissions of Get Requests for that specific API Endpoint.
I’m not quite sure what you are asking, do you just want to get a list of permissions the role the user is assigned to has? Or are you looking for more advanced control other than just “User has access to this controller”. If its the more advanced control you will want to handle this with policies, however socket.io may be bypassing permissions entirely depending on where it’s defined.
User A will get a notification about the blogpost.
This code is generic and will be run for every POST request and will send messages to the respective listeners via socket.io
What I want to know if there is a Generneric way to check if a user is allowed to even receive this get request.
Like this:
User A sets up to listen to /blogposts
User B makes a POST request to add a blogpost
My code Checks if user is allowed to receive get requestes of /blobposts without writing specific code to /blogpost
User A will get a notification about the blogpost ONLY if he has premission to make a get request anyways.
PS: Thanks for the quick reply already. I really appriciate that.
I’m currently reengineered my the listner middleware that I am writing to be able to call strapi.realtime.addListener(socket, path) which allowes me to emit packets to the clients socket the second there is an update is a sucessfull POST request for an item.
Now the question would be:
Is there a possibility to automaticaly generate an endpoint /blogpost/add-listener that calls that function only if blogposts is allowed to do a GET request for /blogpost.