Skip to main content

Check permissions

Does user Sebastian have read permission on resource type file in folder Foo?

Checking permissions is a common task in any application. The Permissions Space Block provides a simple API to check if a subject (e.g. a user) has a specific permission on a resource. It returns a true or false boolean value indicating whether the subject has the requested permission on the resource.

Use case

The check permissions operation is useful to hide or show UI elements based on the permissions of the current user or to check, if a user has access to a specific resource that has been shared via direct link. It can also be used in the backend, to validate permissions before executing an operation.

Flow

Example: User Bob wants to delete a file, and you need to check with Space Blocks if he has the permissions to do so. For this, in the Delete logic of your backend, you can check Bob’s permissions on the file he wants to delete with Space Blocks.

➊ In your Frontend, Bob wants to delete folder Foo and sends that request to your Backend

➋ Your Backend checks, if Bob has the delete permission on a folder with ID Foo at Space Blocks

➌ Space Blocks responds with true or false

➍ If the response it positive, your Backend deletes the folder on your database

➎ You Backend returns HTTP Status code 204 (No Content) or 403 (Forbidden) the your Frontend

Usage

To check, if a subject has permissions on a resource, we use the tenant's CheckPermissions API.

  • /tenants/<TENANT_ID>/permissions/check

The following query parameters are required:

  • resourceType: The resource type ID
  • resourceId: The ID of the resource to check permissions on
  • permissionScope: The resource type ID on which the permission to check is defined
  • permission: The permission ID to check (can occur multiple times)
  • subjectId: The ID of the subject to check permissions for

Example:

  • /tenants/456/permissions/check?resourceType=folder&resourceId=123&permissionScope=files&permission=create-files&permission=read&subjectId=6789

Request:

curl -i --location https://<YOUR_API_URL>/management/tenants/<TENANT_ID>/permissions/check?resourceType=<RESOURCE_TYPE>&resourceId=<RESOURCE_ID>&permissionScope=<RESOURCE_TYPE_SLUG>&permission=<PERMISSION_SLUG>&permission=<PERMISSION_SLUG>&subjectId=<SUBJECT_ID> \
  --header "Content-Type: application/json" \
  --header "Authentication: Bearer <YOUR_ACCESS_TOKEN>" \
  --header "apiKey: <YOUR_API_KEY>"

Example Response:

true