Allow viewers to store data in app plugin jsonData

Hello all

I’m writing a plugin and using the plugin’s meta jsonData to store things, using the HTTP endpoint /api/plugins/pluginid/settings to save jsonData. However this endpoint only accepts POST requests from users that have the admin role, the viewer role gets 403 Forbidden as response.

Is there a way to save jsonData from users that only have the viewer role?

Viewers don’t have permission to change data sources. It might be possible with the more fine-grained access control in Enterprise, but in general you typically don’t want all viewers to be able to update the jsonData.

It would be a security risk if you could. For example, a viewer could update the host URL to one they control to then send configured credentials to it.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.