Allow viewers to store data in app plugin jsonData

Hello all

I’m writing a plugin and using the plugin’s meta jsonData to store things, using the HTTP endpoint /api/plugins/pluginid/settings to save jsonData. However this endpoint only accepts POST requests from users that have the admin role, the viewer role gets 403 Forbidden as response.

Is there a way to save jsonData from users that only have the viewer role?

Viewers don’t have permission to change data sources. It might be possible with the more fine-grained access control in Enterprise, but in general you typically don’t want all viewers to be able to update the jsonData.

It would be a security risk if you could. For example, a viewer could update the host URL to one they control to then send configured credentials to it.