Skip to content

Read AND write access to chasse_config for non-admin user

Rich requested to merge github/fork/ufundo/permissions into master

Created by: ufundo

Hi @artfulrobot ,

Sorry it took me a while to test your edits to PR ─ and I'm afraid they don't seem to work for me

I don't think it's possible to allow "full" access to a given setting just by checking the 'name' parameter, because the 'create' call to save the settings doesn't take a 'name' parameter.

So non-admin user couldn't save new journeys.

Instead I think we need to that chasse_config is a key in the parameter array.

My initial PR did this, but didn't check it was the only key, which seemed open to abuse if you could save two settings at the same time. This updated version attempts to do this more tightly.

It seems a little bit "hacky" to me, but can't see any other approach that will work inside the current api interface / alterAPIPermissions hook. (Don't know if there is some design reason why it has to be like this? Feels like a limitation baked of the api interface design IMHO!)

Merge request reports