Limit API responses based on user or role


#1

Is there a method to limit the fields displayed in a response by user role? For instance, I have a user/role that I don’t want them to see certain fields like Id, OwnerId, etc…


Limiting Number of API calls a user can make
Returning the logged in user's name with a custom script
Returning the logged in user's name with a custom script
#2

You can create a post-process server side script that checks the user role id before allowing those fields to be returned.

var result = platform.api.get("user/session");
if (result.role_id === 4 || result.role_id === 7) {
    if (event.response.record) {
        _.each(event.response.record, function(record) {
            delete record.id;
        });
    } 
}

https://github.com/dreamfactorysoftware/dsp-core/wiki/Server-Side-Scripting

Another way would be to write a pre-process script that changed the “fields” parameter based on role id. That would be faster than looping through every record to remove fields.

var result = platform.api.get("user/session");
if (result.role_id === 4 || result.role_id === 7) {
    // remove unwanted fields from event.request.body.fields
}

Setting up roles