888286 - Per API Key Permissions

Status: RESOLVED FIXED

(Webmaker Graveyard :: MakeAPI, defect)

Description

[Chris DeCairos (:cade)]

An app should only be able to Update or Delete makes that it creates.

Comment 1

[Chris DeCairos (:cade)]

Attachment: https://github.com/mozilla/MakeAPI/pull/147

I got this working on the train home.

Pretty much, this adds in a owner field (hidden from search results) to makes. The owner field is set to the public key of the application that authenticates with the makeAPI on a create call.

The owner of the make is checked on update, delete, like and unlike. in order to give higher powers to one key, I also added an ADMIN_API_KEY env variable. this can be used to correspond to webmaker's API key, so it can do whatever it likes with any make.

There's also a script to give makes an owner based on contentType.

Comment 2

[Chris DeCairos (:cade)]

I updated the branch so that API key records can be flagged as admin in the database, eliminating the need for a env var.

Comment 3

[Jon Buckley [:jbuck]]

Comment on attachment 806298 [details] [review]
https://github.com/mozilla/MakeAPI/pull/147

This is looking pretty solid, some things noted in the PR. How will local dev mode interact with this admin make mode?

Comment 4

[Jon Buckley [:jbuck]]

Comment on attachment 806298 [details] [review]
https://github.com/mozilla/MakeAPI/pull/147

looks good, but we have another blocker before we can land this...

Comment 5

[[github robot]]

Commit pushed to master at https://github.com/mozilla/MakeAPI

https://github.com/mozilla/MakeAPI/commit/14f537fbba0f78fd69fe80fe139820de5676e439
Bug 888286 - Only permit the app that created a make, or webmaker.org to update or delete a make