Creating an outputhandler for an API-Call, which omits any permissionChecks
I recently added the outputhandler ContactCountNumberofCases
in !122 (merged), for which I wanted to introduce the option, that any permission checks in the API-Calls of the outputhandler are omitted. This was needed to be able to create an API-Output for the dataprocessor, which could be used by an external software, which did not have any permissions beyond the annonymous user.
Testing the outputhandler I realized, that in the API-Call itself not only the code within formatField
is called, but also the code the process the configurations such as initializeConfiguration
. As I did not omitted the permissions checks there, the API call failed with an authorization error.
This leads me to two questions:
- Why is this code called in the first place, when the API-Call is done and not only, when the configurations are set?
- What would be a good practice here, to still enable an option, that the permission checks are omitted. Would it be viable to omit any permission checks in the configuration by default? Or is there another best practice.