Authentication
Resource Access Permissions
Non-admin users require explicit permission to fetch data from REST endpoints. Resource Access Permissions define which endpoints each user category can access. Consider the following request:
curl:
curl -s http://localhost:8082/structr/rest/User
Response:
{
"code": 401,
"message": "Forbidden",
"errors": []
}
Access to the User collection was denied. If you look at the log file, you can see a warning message because access to resources without authentication is prohibited by default:
2020-04-19 11:40:15.775 [qtp1049379734-90] INFO o.structr.web.auth.UiAuthenticator - Found no resource access permission for anonymous users with signature 'User' and method 'GET'.
Signature
Resource Access Permissions consist of a signature and a set of flags that control access to individual REST endpoints. The signature of an endpoint is based on its URL, replacing any UUID with _id, plus a special representation for the view (the view’s name, capitalized and with a leading underscore).
The signature of a schema method equals its name, but capitalized. The following table shows examples for different URLs and the resulting signatures:
| Type | URL | Signature |
|---|---|---|
| Collection | /structr/rest/Project | Project |
| Collection with view | /structr/rest/Project/ui | Project/_Ui |
| Collection with view | /structr/rest/Project/info | Project/_Info |
| Object with UUID | /structr/rest/Project/362cc05768044c7db886f0bec0061a0a | Project/_id |
| Object with UUID and view | /structr/rest/Project/362cc05768044c7db886f0bec0061a0a/info | Project/_id/_Info |
| Subcollection | /structr/rest/Project/362cc05768044c7db886f0bec0061a0a/tasks | Project/_id/Task |
| Schema Method | /structr/rest/Project/362cc05768044c7db886f0bec0061a0a/doUpdate | Project/_id/DoUpdate |
Finding the Correct Signature
If access to an endpoint is denied because of a missing Resource Access Permission, you can find the required signature in the log file:
Found no resource access permission for anonymous users with signature 'User/_id' and method 'GET'.
Flags
The flags property of a Resource Access Permission is a bitmask based on an integer value where each bit controls one permission. You can either set all flags at once with the corresponding integer value, or click the checkboxes in the Admin UI to toggle individual permissions.
Migrating to Structr 4.x
Resource Access Permissions
Resource Permissions (formerly “Resource Access Grants”) have been made more flexible. Rights management now also applies to permission nodes themselves, requiring users to have read access to the permission object to use it.
Manual Migration
- Log in as admin
- Navigate to Security → Resource Permissions
- Enable “Show only used grants”
- Migrate permissions:
- If the permission has active flags for “Public Users”: set
visibleToPublicUsers = true - If the permission has active flags for “Authenticated Users”: set
visibleToAuthenticatedUsers = true - If both flags apply: split into two permissions with identical signatures
For many permissions, enable “Show visibility flags in Resource Permissions table” in Dashboard → UI Settings.
Semi-automatic Migration via Deployment
When importing a deployment export from a pre-4.0 version into 4.x+, Structr runs automatic migration using this heuristic:
- Public Users flags →
visibleToPublicUsers = true - Authenticated Users flags →
visibleToAuthenticatedUsers = true - If both flags are set, a warning is issued to split the grant (since
visibleToPublicUsers = truealso makes the object visible to authenticated users)
Resource Access Permissions
Synonyms: Resource Access Grants, Resource Access Grant
Markdown Rendering Hint: Synonym(Resource Access Grants) not rendered because no formatter registered for format markdown, mode overview and Synonym(Resource Access Grants)
Markdown Rendering Hint: Synonym(Resource Access Grant) not rendered because no formatter registered for format markdown, mode overview and Synonym(Resource Access Grant)