Object-Level Permissions for Modifying CommCareUser status via API

szymonb · May 1, 2024, 12:14pm

Hi everyone,

I've added two new endpoints in the 0.5 API user resource, and before I create the PR I would like to understand how object-level permissions are implemented in the API. My question might stem from my limited knowledge of TastyPie, so I apologize if I'm overlooking something obvious.

I noticed that there is a can_edit_commcare_users permission and decorator, but I don't see it being used in the API. I'm unsure about how to connect the domain/object and verify if an API user can modify a CommCareUser entity.

Any guidance would be greatly appreciated.

Edit, just to clarify, I saw RequirePermissionAuthentication(HqPermissions.edit_commcare_users), my question is specifically how do I determine that a user can modify a specific entity - or if this is automagically determined by TastyPie?

Ethan_Soergel · May 1, 2024, 2:34pm

Great questions, sounds like you already have a good understanding of how this works.

how do I determine that a user can modify a specific entity

That edit_commcare_users permission means that the user can edit all commcare users.

The exception to this is users that are location-restricted (access_all_locations = False), who can only edit users in their locations. However, this API endpoint isn't available to those users. For more on how this works, see the Location Permissions docs.

Hope this helps!