POST /permitted

Checks an array of permissions for the subject identified by the submitted identifier.

Request format

This endpoint takes a "token" in the form of a user or a user group's UUID and a list of permissions. This returns true or false for each permission queried, representing whether the subject is permitted to take the given action.

The full evaluation of permissions is taken into account, including inherited roles and matching general permissions against more specific queries. For example, a query for users:edit:1 returns true if the subject has users:edit:1 or users:edit:*.

In the following example, the first permission is querying whether the subject specified by the token is permitted to perform the edit_rules action on the instance of node_groups identified by the ID 4. Note that in reality, node groups and users use UUIDs as their IDs.

{"token": "<subject uuid>",
 "permissions": [{"object_type": "node_groups",
                  "action": "edit_rules",
                  "instance": "4"},
                 {"object_type": "users",
                  "action": "disable",
                  "instance": "1"}]
}

Response format

Returns a 200 OK response with an array of Boolean values representing whether each submitted action on a specific object type and instance is permitted for the subject. The array always has the same length as the submitted array and each returned Boolean value corresponds to the submitted permission query at the same index.

The example response below was returned from the example request in the previous section. This return means the subject is permitted node_groups:edit_rules:4 but not permitted users:disable:1.

[true, false]