Joseph
Joseph

Reputation: 865

Template Data Permissions

I have been adding event registrant features into my Apostrophe site. I created a new "leader" group, and if a user is part of that group, the event page should show a table with current registrant counts/basic information:

{% for reg in data.piece.registrants %}
    {% set count = count + reg.attendeeCount %}
      <tr>
        <td>{{reg._user.firstName}} {{reg._user.lastName}}</td>
        <td>{{reg.attendeeCount}}</td>
      </tr>
    {% endfor %}
    <tr class="total-registrant-row">
      <td>Total</td>
      <td></td>
      <td></td>
      <td>{{count}}</td>

I have added a Registrants array to apostrophe-events, which itself contains a single join to a user:

addFields: [
    {
      name: 'registrants',
      label: 'Registrants',
      type: 'array',
      schema: [
          {
              name: '_user',
              withType: 'apostrophe-user',
              type: 'joinByOne',
              idField: 'userId',
              filters: {
                  // Fetch only basic information to show in table:
                  projection: {
                      id: 1,
                      username: 1,
                      firstName: 1,
                      lastName: 1,
                      email: 1
                  }
              }
          },
          {
              name: 'registrationDate',
              label: 'Registration Date',
              contextual: true,
              type: 'string'
          },
          {
              name: 'attendeeCount',
              label: 'Total Attendees',
              type: 'integer'
          }
       ]
    }
]

I noticed that while I was logged in as admin, this worked correctly, but if I logged in as a user in the leader group (who is not an admin), the count would show up, but not the user information. I'm assuming this is because the leader group doesn't have permission to get any users. How would I set it up so that the template either bypasses permissions in this instance, or give leaders permission to view information for any users registered on events?

Thanks!

Upvotes: 2

Views: 71

Answers (1)

Tom Boutell
Tom Boutell

Reputation: 7572

You can use the filters property of your join to invoke any cursor method, including permission, which you can set to false to allow users to be fetched without regard to the permissions of the current user:

filters: {
  // Fetch only basic information to show in table:
  projection: {
    id: 1,
    username: 1,
    firstName: 1,
    lastName: 1,
    email: 1
  },
  // Ignore permissions for this join:
  permission: false
}

```

Upvotes: 3

Related Questions