How to grant writable permission to lithium via REST API?

fengka

You api call might be like this rest("/messages/id/[messageid]/kudos/give");

Change this to restadmin("/messages/id/[messageid]/kudos/give");

restadmin = it's an object to make a REST call with Administrator permissions on behalf of the user . This call essentially bypasses permission checks for the current user

I hope this helps you :)

 Hi TariqHussain,

Thanks for your reply. What id Restadmin() ?  do I need to use any sdk to use this? Can we use the general Rest Client or Curl to call the REST API? Something like this:

curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer vuVDPEkI+XLytr7hMGo0RkwucYF8belsX2XjI1qu+zM=“ -H "client-id: xxxxxxxxxxxxx" https://api.lithium.com/community/v1/[tanent name]/messages/id/[messageid]/kudos/give

Actually, I am using javascript fetch api for the REST : https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch

How can I make the restadmin() in this scenario?

fengka

are you familiar with endpoints ? you need to create an endpoint and you will get endpoint url. with javascript you can directly hit your request to endpoint url.

<#assign msgID = http.request.parameters.name.get("messageid","") />

  <#if msgID !=''>

    <#assign messages = restadmin("messages/id/${msgID}/kudos/give").messages >
     
  </#if >

TariqHussain I am not familiar with the endpoints you mentioned here. The code you show here looks like is a javascript template by using FreeMarker? (Sorry I am not exactly sure about it).

In my case I am using react native to develop a mobile app and it is using purely javascript to make the REST call. the calling is looking like this. I haven't found how to use restadmin() to call the api here.

fetch(httpUrl)
.then(function(response) {
return response.json();
})
.then(function(myBlob) {

});

Hi fengka

For your calls to be successful, you'll need two permission settings (Make REST API calls with read access and Make REST API calls with modify access) to be set to Grant. This is done in Community Admin > Users. I think this will solve your issues. We describe this in our API doc in the Authentication section. Hope this helps.

Hi SuzieH

Thanks for your reply. This is one workable solution. After our lithium forum administrator enbled the allow_restapi_call_modify to (only) my account, I can modify the data like giving a kudo via REST API call. 

This looks like need to grant the permission per user via the setting. However I have further questions:

1. Can we enable the allow_restapi_call_modify to ALL the user by default with one time? We would like to let all the forum registered user modify the data via rest call. If we have to enable it one by one per user, that will be a huge work.

2. If the answer to question 1 is yes, the next question is should we do it like that? Do we have potential security concern if all the user can modify forum data via REST API call?

3. When doing the authentication, we are required to provide "client_id" and "client_secret", can we grant writable permission per "client_id"?

Thanks.

Hey fengka,

You can create a role which all registered users get and grant permissions to that role in Admin->Users->Permissions->Roles. Alternatively you can enable this permission by default across the community in Admin->Users->Permissions->Defaults, however this would give the write permission to anonymous users as well, so I would recommend going with the first approach.

To your other questions:

2) Other permissions would still apply, so users would not be able to modify data that they wouldn't have otherwise have access to. 

3) There is no way currently to tie the permissions to clientid

Hope this helps.