The needsPermission
function returns a middleware that handles the request before it reaches your test.get
function. That middleware checks if the user making the request has the required permission.
You don't have to predefined the permission anywhere. As long as the permission string takes the form XYZ.read
or XYZ.write
then it will work as expected.
As per the docs users either have the permission read
or *
. If it is read
then they are allowed to access anything with a XYZ.read
permission. If it's *
then they can access everything.
The reason for the XYZ
part of the permission is to identify the type of resource being accessed - which allows for some finer-grained permissions. For example, a user couple have a permission of ["read", "inject.write"]
- this would allow them read-only access to the editor, but would be able to trigger any inject nodes.