Access control

Wireframe API doesn't provide any built-in logic for access control, instead depending on template access settings by default. If you need something more sophisticated than that, BYOAC (bring your own access control.)

Access control is currently out of the scope of the Wireframe API module. You can, though, hook into the WireframeAPI::checkAccess() method and implement your own permission check there. If you return boolean false, the API endpoint will send an "Unauthorized" response instead of a regular API response:

$api->addHookAfter('WireframeAPI::checkAccess', function(HookEvent $event) use ($user) {
    if ($event->return === false) return;
    if (!$user->isLoggedin()) {
        $event->return = false;
    }
});

If you enable component or partial endpoints, you may expose publicly content that isn't normally available for unauthenticated users. For such use cases it's highly recommended to set up an allow list:

$api->addHookAfter('WireframeAPI::checkAccess', function(HookEvent $event) {
    if ($event->return === false) return;
    if ($event->arguments[0] == 'partials') {
        $partial_name = implode('/', $event->arguments[1]);
        $event->return = in_array($partial_name, [
            'allowed_partial',
            'directory/another_allowed_partial',
        ]);
    } else if ($event->arguments[0] == 'components') {
        $component_name = $event->arguments[1][0];
        $event->return = in_array($component_name, [
            'AllowedComponent',
            'AnotherAllowedComponent',
        ]);
    }
});
Back to top