Skip to main content

Scopes

Scopes are a way of preventing users from seeing entities through index routes that they shouldn't. They can be consisted of multiple Scope Items that define rules of who can see what.

Creating scope items#

Scope Items can be created by sending a POST request to /api/todos/scope_items.

If we wanted to limit regular users seeing only TODOs that are assigned to them, we can create a Scope Item like this:

{
"who": [
{
"left": {
"type": "current_user",
"value": "role"
},
"operator": "eq",
"right": {
"type": "plain",
"value": "regular"
}
}
],
"what": [
{
"left": {
"type": "entity",
"value": "details.assignee_id"
},
"operator": "eq",
"right": {
"type": "current_user",
"value": "id"
}
}
]
}
Example request
const myHeaders = new Headers();
myHeaders.append("X_DEVELOPER_API_KEY", "d5e3ab8d-1fc4-5735-add5-27c3858e3080");
myHeaders.append("Content-Type", "application/json");
const raw = JSON.stringify({"who":[{"left":{"type":"current_user","value":"role"},"operator":"eq","right":{"type":"plain","value":"regular"}}],"what":[{"left":{"type":"entity","value":"details.assignee_id"},"operator":"eq","right":{"type":"current_user","value":"id"}}]});
const requestOptions = {
method: 'POST',
headers: myHeaders,
body: raw,
redirect: 'follow'
};
fetch("https://your_app_id.essentialz.cloud/api/todos/scope_items", requestOptions)
.then(response => response.text())
.then(result => console.log(result))
.catch(error => console.log('error', error));

Creating additional Scope Items results in them being aggregated using OR operation, while all of the items defined under the who and what arrays of the one Scope Item are separately aggregated using AND.

Updating scope items#

Updating Scope Items works in a similar way. Just send a PUT request to /api/todos/scope_items/:id with the same format of the JSON body.

Listing all scope items#

You can fetch all created Scope Items by sending a GET request to /api/todos/scope_items.