Post

2 followers Follow
0
Avatar

Login with API(php) to get content of app if user has right to

|

hi guys,

following situation:

I have 3 podio accounts (=users): A, B, C

I have 1app: 'Clients'

User A created the API application and keys.(on user level, not application level)

Users A and C have acces to the Clients app. User B has no acces to the Clients app.

 

I have a php page that lists all members in the Clients app.

* When I use server-side flow authentication, after authentication, all users (A,B,C) can view all members in the Clients app because the credentials used are the one of the user that created the API keys(=user A).

--> Also retreiving the users id always refers to the ID of the users which created the API keys.

 

I could resolve this using username & password flow authentication. I build a form asking for the users credentials, they pres submit, the page gets forwarded to podio with there credentials, where they have to login again... once they loged in again they grant acces and get redirected to the php page. Than everything works fine.

But I'm not sure if this is the best way to do it... is it possible to have the user only log in once?

Am i doing something wrong? I tried to explain the best i could, i hope you can understand, looking forward to some help....

 

In short what i want to do is: build php page, where users have to login with there podio account which than shows the content of an app, only if they have the right to acces this app... What is the best workflow for this situation?

 

Kind regards,

Anthony

|

Anthony Viaene Answered

Please sign in to leave a comment.

2 comments

0
Avatar

Let me clear up a few things:

  • It doesn't matter what user creates the API key in terms of access to Podio data. The API key is solely used for identifying the client/application connecting to the API.
  • When you use  server-side authentication, your external application has access to the same data (workspaces, apps, tasks, etc.) as the user has on Podio.com. No more, no less.
  • When you use app authentication flow, the user of your external application has access to everything in that app, since you are authenticated as an app, not as a user.

If user B cannot access the Clients app on Podio.com, I can assure he cannot access the app through your external application either, if he is logged in via server-side authentication, that is, logged in as himself.

So either you have confused what user you were authenticated as at which time, or you have been using app authentcation, which provides full access to the app through your external application.

Username/password authentication works just like server-side auth in terms of access - the difference lies in whether the user has to enter his credentials in your external application or at our site - and we definitely recommend the latter for security reasons.

To answer your question: You should use the server-side authentication to make sure that users can't see anything they cannot see on Podio.com.

Casper Fabricius 0 votes
0
Avatar

thanks for the fast respons. For my second test user I used to sign in with gmail but because my main account email adres also is linked to that gmail account, i kinda login twice with same user, with different email adres. I created a new test user now and al seems to work fine with server authentication! thanks for clearing it up!

grtz

Anthony Viaene 0 votes