How to generate access token with user's approved permissions
Midrub has two types of Api Apps:
- Apps with permissions which should be approved by users. These apps will be used for web scope. For example for sign up with Midrub, control features remotely, etc. This is in development yet.
- With predefined permissions where the Api app has permissions approved by default. User can generate access token with username and password. This kind of apps are used now for mobile apps.
In the previous article i've explained how to add new permissions from the created apps or components. Below you will see the permission's content:
set_admin_api_permissions( array ( array( 'name' => 'Read', // Displayed permission name 'slug' => 'read', // Displayed permission slug 'description' => 'Users will be able to read content', // Description for admin 'user_allow' => 'App will be able to read the content' // Permission to approve displayed to user ) ) );
When you're using the first type of Api App, user_allow's value will be displayed to user and user will understand what kind of permissions will approve.
To load user_allow's value for approvement, you have to add the file with permissions in load_hooks even for the rest_init's category.
Example:
public function load_hooks( $category ) { // Verify if the app is enabled if ( !get_option('app_posts_enable') ) { exit(); } // Load and run hooks based on category switch ( $category ) { case 'admin_init': // With this required file i will register permissions in the admin panel get_the_file(MIDRUB_BASE_USER_APPS_POSTS . 'inc/api_permissions.php'); break; case 'rest_init': // With this required file i will display permissions allow to users get_the_file(MIDRUB_BASE_USER_APPS_POSTS . 'inc/api_permissions.php'); break; } }
As i've explained before, categories for hooks are important because we're loading only features we need without affect the speed for nothing like does other CMS with plugins.
Rest_init is optionally because you could have second type of Api Apps where user shouldn't approve nothing.
If you're using the first type of Api App in php, you can do a test like this:
// Set params $params = array( 'application_id' => 'your application id', 'application_secret' => 'your app secret', 'redirect_uri' => 'your application redirect', 'response_type' => 'code', 'scope' => array(‘user_posts’) ); // Generate redirect url $loginUrl = 'http://www.yourwebsite.com/oauth2/authorize?' . urldecode(http_build_query($params)); // Redirect header('Location:' . $loginUrl);
After redirect user will see a page like in the video below: