API permission issues for custom roles

We are encountering an permission issue in API for custom roles.

If the read/update permission for all module for everyone is set to deny. And for a perticular module if the permission id changed for a custom role as allow then on UI everthing works fine but the api doesnt return any data.

The current workaround is to allow permission for all module for that custom role

Hi @sourav.mukherjee,

My first guess is this can be related to the “business logic” of how the permissions system works in Corteza: explicit “deny” value has a much stronger power than explicit “alow”. Hence when the check is done, “deny” on all modules overrules “alow”. Does that make sense?
Would it be possible to assign “deny” to any other role than “Everybody”, which is a default role for every user?

Kind regards, Mia

1 Like

Thanks for the quick reply. I understand what you are explaining but if the permission is setup to deny first then that should reflect on both APi and the Ui right?

hi @sourav.mukherjee, yes, spot on - permissions affect UI and the API.

So my issues is that the ui is showing everything correctly but from API I dont seems to have access to the data.