Postman and UF authorization


#1

Hello,

I am building a custom API on UF 4.1, with the following two requirements:

  1. Some routes are accessible only to certain users/groups.
  2. Some routes return different results depending on the user/group. (e.g. an admin will get the full data, a user will get a filtered subset).

I need some pointers on how to work with the above, and use Postman to test the API through the UF4 authentication system.

Thanks!


#2

First, to use postman, you’ll need to bypass the CSRF protection for every POST request you want to test. In 4.1, you’ll need to blacklist the route you want to test to disable CSRF protection. See : https://learn.userfrosting.com/routes-and-controllers/client-input/csrf-guard#blacklisting-routes

As for 1) and 2), in your controller, you can use checkAccess to test for the required permission and show/hide the info you want. Checkout the admin sprinkle for example on how to do that.