What is the best way to restrict web services access to Sugar?
I'd like to control which users can use APIs to access Sugar from outside the SugarUI.
thanks
FrancescaS
What is the best way to restrict web services access to Sugar?
I'd like to control which users can use APIs to access Sugar from outside the SugarUI.
thanks
FrancescaS
At the beginning of your API, at the same place where you checks your arguments you can check your $api->user object to apply your restrictions.
By exemple the ConfigModuleApi check if you are admin or developer for one module when you try to save a config for a module.
I have some clever users calling the built-in APIs which are the same that Sugar Uses for the UI.
like "Contacts/" to query/update/add contacts
If they can query/enter/update records via the UI they can do it via a webservices API.
It would be nice to just be able to have a webservices ACL per user or per module so I can lock out any chosen user from all or specific modules via webservices.
More importantly I should be able to stop certain users from creating/updating records via web services.
We have some clever people here...
FrancescaS
I have some clever users calling the built-in APIs which are the same that Sugar Uses for the UI.
like "Contacts/" to query/update/add contacts
If they can query/enter/update records via the UI they can do it via a webservices API.
It would be nice to just be able to have a webservices ACL per user or per module so I can lock out any chosen user from all or specific modules via webservices.
More importantly I should be able to stop certain users from creating/updating records via web services.
We have some clever people here...
FrancescaS
You can't use role or custom Sugar ACL for that ?
If you want to deal about API only you can check on a before_api_call logic hook and then manage a security layer at this place may be